SecurityPolicyDsc
A wrapper around secedit.exe to allow you to configure local security policies. This resource requires a Windows OS with secedit.exe.
Code of Conduct
This project has adopted this Code of Conduct.
Releases
For each merge to the branch master a preview release will be
deployed to PowerShell Gallery.
Periodically a release version tag will be pushed which will deploy a
full release to PowerShell Gallery.
Contributing
Please check out common DSC Community contributing guidelines.
Change log
A full list of changes in each version can be found in the change log.
Resources
- AccountPolicy: Configures the policies under the Account Policy node in local security policies.
- SecurityOption: Configures the policies under the Security Options node in local security policies.
- SecurityTemplate: Configures user rights assignments that are defined in an INF file.
- UserRightsAssignment: Configures user rights assignments in local security policies.
AccountPolicy
For further explanation of these settings, please consult Account Policies Reference.
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | A unique name of the AccountPolicy resource instance. This is not used during configuration. | |
| Enforce_password_history | Write | Uint32 | Specifies the number of unique new passwords that must be associated with a user account before an old password can be reused. A number from 0 through 24 can be specified | |
| Maximum_Password_Age | Write | Uint32 | Specifies the period of time (in days) that a password can be used before the system requires the user to change it. A number from 0 through 999 can be specified, with 0 meaning the password will never expire | |
| Minimum_Password_Age | Write | Uint32 | Specifies the period of time (in days) that a password must be used before the user can change it. A number from 0 to 998 can be specified | |
| Minimum_Password_Length | Write | Uint32 | Specifies the least number of characters that can make up a password for a user account. A number from 0 to 14 can be specified | |
| Password_mustmeet complexity_requirements | Write | String | Specifies whether passwords must meet a series of guidelines that are considered important for a strong password | Enabled, Disabled |
| Store_passwordsusing reversible_encryption | Write | String | Specifies whether passwords are stored in a way that is reversible to provides support for applications that use protocols that require the user's password for authentication | Enabled, Disabled |
| Account_lockout_duration | Write | Uint32 | Specifies the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. A number from 1 through 99,999 can be specified | |
| Account_lockout_threshold | Write | Uint32 | Specifies the number of failed sign-in attempts that will cause a user account to be locked | |
| Reset_accountlockout counter_after | Write | Uint32 | Specifies the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0 |
Note: The below settings pertain to Kerberos policies and must be set by a member in the domain admins group.
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Enforce_userlogon restrictions | Write | String | Specifies whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account | Enabled, Disabled |
| Maximumlifetime for_service_ticket | Write | Uint32 | Specifies the maximum number of minutes that a granted session ticket can be used to access a particular service. A number from 10 to the value of the 'Maximum lifetime for service ticket' policy setting can be specified | |
| Maximumlifetime for_user_ticket | Write | Uint32 | Specifies the maximum amount of time (in hours) that a user's ticket-granting ticket can be used. A number from 0 to 99,999 can be specified | |
| Maximumlifetime for_userticket renewal | Write | Uint32 | Specifies the period of time (in days) during which a user's ticket-granting ticket can be renewed. A number from 0 to 99,999 can be specified | |
| Maximumtolerance for_computerclock synchronization | Write | Uint32 | Specifies the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication |
SecurityOption
For further explanation of these settings, please consult Security Options Reference.
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Describes the security option to be managed. This could be anything as long as it is unique | |
| AccountsAdministrator account_status | Write | String | Determines whether the local Administrator account is enabled or disabled | Enabled, Disabled |
| AccountsBlock Microsoft_accounts | Write | String | Prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. | This policy is disabled, Users cant add Microsoft accounts, Users cant add or log on with Microsoft accounts |
| AccountsGuest account_status | Write | String | Determines whether the Guest account is enabled or disabled | Enabled, Disabled |
| Accounts_Limitlocal account_use_ofblank passwords_toconsole logon_only | Write | String | Determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords | Enabled, Disabled |
| AccountsRename administrator_account | Write | String | Determines whether a different account name is associated with the security identifier (SID) for the administrator account | |
| AccountsRename guest_account | Write | String | Determines whether a different account name is associated with the security identifier (SID) for the Guest account | |
| Audit_Auditthe access_ofglobal system_objects | Write | String | If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS devices. If you also enable the Audit object access audit setting, access to these system objects is audited | Enabled, Disabled |
| Audit_Auditthe use_of_Backupand Restore_privilege | Write | String | Determines whether to audit the use of all user rights, including Backup and Restore, when the Audit privilege use policy setting is configured | Enabled, Disabled |
| Audit_Forceaudit policysubcategory settingsWindows Vista_or_laterto override_auditpolicy category_settings | Write | String | Allows you to manage your audit policy in a more precise way by using audit policy subcategories | Enabled, Disabled |
| Audit_Shutdown systemimmediately if_unable_tolog security_audits | Write | String | Determines whether the system shuts down if it is unable to log security events | Enabled, Disabled |
| DCOM_MachineAccess Restrictionsin SecurityDescriptor DefinitionLanguage SDDL_syntax | Write | String | Allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM) based applications on a device | |
| DCOM_MachineLaunch Restrictionsin SecurityDescriptor DefinitionLanguage SDDL_syntax | Write | String | Allows you to define additional computer-wide controls that govern access to all DCOM based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device | |
| Devices_Allowundock without_havingto log_on | Write | String | Enables or disables the ability of a user to remove a portable device from a docking station without logging on | Enabled, Disabled |
| Devices_Allowedto format_andeject removable_media | Write | String | Determines who is allowed to format and eject removable media. | Administrators, Administrators and Power Users, Administrators and Interactive Users |
| DevicesPrevent users_frominstalling printer_drivers | Write | String | Determines who can install a printer driver as part of adding a network printer | Enabled, Disabled |
| DevicesRestrict CD_ROM_accessto locally_loggedon user_only | Write | String | Determines whether a CD is accessible to local and remote users simultaneously | Enabled, Disabled |
| DevicesRestrict floppy_accessto locally_loggedon user_only | Write | String | Determines whether removable floppy disks are accessible to local and remote users simultaneously | Enabled, Disabled |
| Domaincontroller Allow_serveroperators to_schedule_tasks | Write | String | Determines whether server operators can use the 'at' command to submit jobs. | Enabled, Disabled |
| Domaincontroller LDAPserver signing_requirements | Write | String | Determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing | None, Require Signing |
| Domaincontroller Refusemachine accountpassword changes | Write | String | Enables or disables blocking a domain controller from accepting password change requests for machine accounts | Enabled, Disabled |
| Domainmember Digitallyencrypt or_signsecure channel_data_always | Write | String | Determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted | Enabled, Disabled |
| Domainmember Digitallyencrypt secure_channeldata when_possible | Write | String | Determines whether all secure channel traffic that is initiated by the domain member must be encrypted | Enabled, Disabled |
| Domainmember Digitallysign secure_channeldata when_possible | Write | String | Determines whether all secure channel traffic that is initiated by the domain member must be signed | Enabled, Disabled |
| Domainmember Disablemachine accountpassword changes | Write | String | Determines whether a domain member periodically changes its machine account password | Enabled, Disabled |
| Domainmember Maximummachine account_password_age | Write | String | Determines when a domain member submits a password change | |
| Domainmember Requirestrong Windows_2000or later_session_key | Write | String | Determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key | Enabled, Disabled |
| Interactivelogon Displayuser informationwhen the_session_is_locked | Write | String | Controls whether details such as email address or domain\username appear with the username on the sign-in screen | User displayname, domain and user names, User display name only, Do not display user information |
| Interactivelogon Do_notdisplay last_user_name | Write | String | Determines whether the name of the last user to log on to the device is displayed on the Secure Desktop | Enabled, Disabled |
| Interactivelogon Do_notrequire CTRL_ALT_DEL | Write | String | Determines whether pressing CTRL+ALT+DEL is required before a user can log on | Enabled, Disabled |
| Interactivelogon Machineaccount lockout_threshold | Write | String | Allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker | |
| Interactivelogon Machine_inactivity_limit | Write | String | Specifies the amount of inactive time before the user's session locks by invoking the screen saver | |
| Interactivelogon Message_textfor usersattempting to_log_on | Write | String | Specifies a text message to be displayed to users when they log on | |
| Interactivelogon Message_titlefor usersattempting to_log_on | Write | String | Specifies a message title to be displayed to users when they log on | |
| Interactivelogon Number_ofprevious logons_to_cachein case_domaincontroller is_not_available | Write | String | Determines whether a user can log on to a Windows domain by using cached account information | |
| Interactivelogon Prompt_userto changepassword before_expiration | Write | String | Determines how many days in advance users are warned that their passwords are about to expire | |
| Interactivelogon RequireDomain Controller_ authenticationto unlock_workstation | Write | String | Determines whether it is necessary to contact a domain controller to unlock a device | Enabled, Disabled |
| Interactivelogon Require_smart_card | Write | String | Requires users to log on to a device by using a smart card | Enabled, Disabled |
| Interactivelogon Smart_cardremoval behavior | Write | String | Determines what happens when the smart card for a logged-on user is removed from the smart card reader | No Action, Lock workstation, Force logoff, Disconnect if a remote Remote Desktop Services session |
| Microsoftnetwork clientDigitally signcommunications always | Write | String | If this policy setting is enabled, SMBv2 clients will digitally sign all packets | Enabled, Disabled |
| Microsoftnetwork client_Digitallysign communicationsif server_agrees | Write | String | If this policy setting is enabled, SMBv2 clients will digitally sign all packets if the server agrees | Enabled, Disabled |
| Microsoftnetwork clientSend unencrypted_ password_tothird party_SMB_servers | Write | String | Allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication | Enabled, Disabled |
| Microsoftnetwork serverAmount of_idletime requiredbefore suspending_session | Write | String | Determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity | |
| Microsoftnetwork serverAttempt S4U2Self_toobtain claim_information | Write | String | Specifies whether a Windows file server will attempt to use the Kerberos S4U2Self feature to obtain a claim-enabled access token for the client prinicipal if required. | Default, Enabled, Disabled |
| Microsoftnetwork serverDigitally signcommunications always | Write | String | Specifies whether an SMB server requires SMB network packets to be digitally signed | Enabled, Disabled |
| Microsoftnetwork serverDigitally signcommunications if_client_agrees | Write | String | Specifies whether an SMB server will negotaite to digitally sign SMB network packets with a client | Enabled, Disabled |
| Microsoftnetwork serverDisconnect clients_whenlogon hours_expire | Write | String | Enables or disables the forced disconnection of users who are connected to the local device using SMB outside their user account's valid logon hours | Enabled, Disabled |
| Microsoftnetwork server_ServerSPN targetname validation_level | Write | String | Controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol | Off, Accept if provided by client, Required from client |
| Network_access _Allowanonymous SID_Name_translation | Write | String | Enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user | Enabled, Disabled |
| Networkaccess Do_notallow anonymous enumeration of_SAM_accounts | Write | String | Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares | Enabled, Disabled |
| Networkaccess Do_notallow anonymous enumeration of_SAMaccounts and_shares | Write | String | Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares | Enabled, Disabled |
| Networkaccess Do_not_allowstorage of_passwordsand credentialsfor network_authentication | Write | String | Determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication | Enabled, Disabled |
| Networkaccess LetEveryone permissionsapply to_anonymous_users | Write | String | Determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities | Enabled, Disabled |
| Networkaccess Named_Pipesthat can_beaccessed anonymously | Write | String | Determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access | |
| Networkaccess Remotelyaccessible registry_paths | Write | String | Determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions | |
| Networkaccess Remotelyaccessible registry_pathsand subpaths | Write | String | Determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions | |
| Networkaccess Restrictanonymous access_toNamed Pipes_and_Shares | Write | String | Enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the 'Network access: Named pipes that can be accessed anonymously' and 'Network access: Shares that can be accessed anonymously' settings | Enabled, Disabled |
| Networkaccess Restrictclients allowed_tomake remote_calls_to_SAM | Write | String[] | The Permission and Identity required for restricted remote Sam access | |
| Networkaccess Shares_that_canbe accessed_anonymously | Write | String | Determines which shared folders can be accessed by anonymous users | |
| Networkaccess Sharing_andsecurity model_forlocal accounts | Write | String | Determines how network logons that use local accounts are authenticated | Classic - Local users authenticate as themselves, Guest only - Local users authenticate as Guest |
| Networksecurity Allow_LocalSystem to_usecomputer identity_for_NTLM | Write | String | Determines what identity to use for services running as Local System when NTLM is used | Enabled, Disabled |
| Networksecurity AllowLocalSystem NULL_session_fallback | Write | String | Determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility | Enabled, Disabled |
| NetworkSecurity AllowPKU2U authenticationrequests to_thiscomputer to_use_online_identities | Write | String | Determines whether authentication is allowed between two or more computers that have established a peer relationship through the use of online IDs | Enabled, Disabled |
| Networksecurity Configureencryption types_allowedfor Kerberos | Write | String[] | Allows you to set the encryption types that the Kerberos protocol is allowed to use | DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, FUTURE |
| Networksecurity Do_not_storeLAN Manager_hashvalue on_nextpassword change | Write | String | Determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed | Enabled, Disabled |
| Networksecurity Force_logoffwhen logon_hours_expire | Write | String | Determines whether to disconnect users who are connected to the local device using SMB outside their user account's valid logon hours | Enabled, Disabled |
| Networksecurity LANManager authentication_level | Write | String | Determines which challenge or response authentication protocol is used for network logons | Send LM & NTLM responses, Send LM & NTLM - use NTLMv2 session security if negotiated, Send NTLM responses only, Send NTLMv2 responses only, Send NTLMv2 responses only. Refuse LM, Send NTLMv2 responses only. Refuse LM & NTLM |
| Networksecurity LDAPclient signing_requirements | Write | String | Determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests | None, Negotiate Signing, Require Signing |
| Networksecurity Minimumsession security_forNTLM SSP_basedincluding secure_RPC_clients | Write | String | Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security | Require NTLMv2 session security, Require 128-bit encryption, Both options checked |
| Networksecurity Minimumsession security_forNTLM SSP_basedincluding secure_RPC_servers | Write | String | Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security | Require NTLMv2 session security, Require 128-bit encryption, Both options checked |
| Networksecurity RestrictNTLM Add_remoteserver exceptionsfor NTLM_authentication | Write | String | Allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' policy setting is configured | |
| Networksecurity RestrictNTLM Add_serverexceptions in_this_domain | Write | String | Allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the 'Network Security: Restrict NTLM: NTLM authentication in this domain' policy setting | |
| NetworkSecurity RestrictNTLM Incoming_NTLM_Traffic | Write | String | Allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller | Allow all, Deny all domain accounts, Deny all accounts |
| NetworkSecurity RestrictNTLM NTLMauthentication in_this_domain | Write | String | Allows you to deny or allow NTLM authentication within a domain from this domain controller | Disable, Deny for domain accounts to domain servers, Deny for domain accounts, Deny for domain servers, Deny all |
| NetworkSecurity RestrictNTLM Outgoing_NTLMtraffic to_remote_servers | Write | String | Allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system | Allow all, Audit all, Deny all |
| NetworkSecurity RestrictNTLM AuditIncoming NTLM_Traffic | Write | String | Allows you to audit incoming NTLM traffic | Disabled, Enable auditing for domain accounts, Enable auditing for all accounts |
| NetworkSecurity RestrictNTLM AuditNTLM authentication_ in_this_domain | Write | String | Allows you to audit on the domain controller NTLM authentication in that domain | Disable, Enable for domain accounts to domain servers, Enable for domain accounts, Enable for domain servers, Enable all |
| Recoveryconsole Allowautomatic administrative_logon | Write | String | Determines whether the built-in Administrator account password must be provided before access to the Recovery Console on the device is granted | Enabled, Disabled |
| Recoveryconsole Allowfloppy copy_andaccess to_all_drivesand folders | Write | String | Enables or disables the Recovery Console SET command | Enabled, Disabled |
| ShutdownAllow system_to_beshut down_withouthaving to_log_on | Write | String | Determines whether a device can be shut down without having to log on to Windows | Enabled, Disabled |
| ShutdownClear virtualmemory pagefile | Write | String | Determines whether the virtual memory paging file is cleared when the device is shut down | Enabled, Disabled |
| Systemcryptography Forcestrong key_ protection_foruser keys_stored_onthe computer | Write | String | Determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password | User input is not required when new keys are stored and used, User is prompted when the key is first used, User must enter a password each time they use a key |
| Systemcryptography Use_FIPScompliant algorithmsfor encryptionhashing and_signing | Write | String | Determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite | Enabled, Disabled |
| Systemobjects Requirecase insensitivityfor nonWindows subsystems | Write | String | Determines whether case insensitivity is enforced for all subsystems | Enabled, Disabled |
| Systemobjects Strengthendefault permissionsof internal_systemobjects eg_Symbolic_Links | Write | String | Determines the strength of the default discretionary access control list (DACL) for objects | Enabled, Disabled |
| Systemsettings Optional_subsystems | Write | String | Determines which subsystems support your applications | |
| Systemsettings UseCertificate Rules_onWindows Executablesfor SoftwareRestriction Policies | Write | String | Determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension | Enabled, Disabled |
| User_AccountControl AdminApproval Mode_for_the_Builtin Administrator_account | Write | String | Determines the behavior of Admin Approval Mode for the built-in administrator account | Enabled, Disabled |
| User_AccountControl AllowUIAccess applications_toprompt for_elevationwithout using_thesecure desktop | Write | String | Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user | Enabled, Disabled |
| User_AccountControl Behavior_ofthe elevation_promptfor administrators_ in_AdminApproval Mode | Write | String | Determines the behavior of the elevation prompt for accounts that have administrative credentials | Elevate without prompting, Prompt for credentials on the secure desktop, Prompt for consent on the secure desktop, Prompt for credentials, Prompt for consent, Prompt for consent for non-Windows binaries |
| User_AccountControl Behavior_ofthe elevation_promptfor standard_users | Write | String | Determines the behavior of the elevation prompt for standard users | Automatically deny elevation request, Prompt for credentials on the secure desktop, Prompt for credentials |
| User_AccountControl Detectapplication installationsand prompt_for_elevation | Write | String | Determines the behavior of application installation detection for the entire system | Enabled, Disabled |
| User_AccountControl Onlyelevate executables_thatare signed_and_validated | Write | String | Enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege | Enabled, Disabled |
| User_AccountControl Only_elevateUIAccess applications_thatare installed_insecure locations | Write | String | Enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system | Enabled, Disabled |
| User_AccountControl Run_alladministrators in_AdminApproval Mode | Write | String | Determines the behavior of all User Account Control (UAC) policies for the entire system | Enabled, Disabled |
| User_AccountControl Switch_to_thesecure desktopwhen prompting_for_elevation | Write | String | Determines whether the elevation request prompts on the interactive user desktop or on the secure desktop | Enabled, Disabled |
| User_AccountControl Virtualize_fileand registry_writefailures to_per_user_locations | Write | String | Enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system | Enabled, Disabled |
SecurityTemplate
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| IsSingleInstance | Key | String | Specifies the resource is a single instance, the value must be 'Yes' | Yes |
| Path | Required | String | The path to the desired security policy template (.inf) |
UserRightsAssignment
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Policy | Key | String | The policy name of the user rights assignment to be configured. | Create_a_token_object, Access_this_computer_from_the_network, Change_the_system_time, Deny_log_on_as_a_batch_job, Deny_log_on_through_Remote_Desktop_Services, Create_global_objects, Remove_computer_from_docking_station, Deny_access_to_this_computer_from_the_network, Act_as_part_of_the_operating_system, Modify_firmware_environment_values, Deny_log_on_locally, Access_CredentialManager as_a_trusted_caller, Restore_files_and_directories, Change_the_time_zone, Replace_a_process_level_token, Manage_auditing_and_security_log, Create_symbolic_links, Modify_an_object_label, Enable_computer_and_useraccounts to_be_trusted_for_delegation, Generate_security_audits, Increase_a_process_working_set, Take_ownership_offiles or_other_objects, Bypass_traverse_checking, Log_on_as_a_service, Shut_down_the_system, Lock_pages_in_memory, Impersonate_aclient after_authentication, Profile_system_performance, Debug_programs, Profile_single_process, Allow_log_onthrough Remote_Desktop_Services, Allow_log_on_locally, Increase_scheduling_priority, Synchronize_directory_service_data, Add_workstations_to_domain, Adjust_memory_quotas_for_a_process, Obtain_an_impersonation_tokenfor another_user_in_the_same_session, Perform_volume_maintenance_tasks, Load_and_unload_device_drivers, Force_shutdown_from_a_remote_system, Back_up_files_and_directories, Create_a_pagefile, Deny_log_on_as_a_service, Log_on_as_a_batch_job, Create_permanent_shared_objects |
| Identity | Required | String[] | The identity of the user or group to be added or removed from the user rights assignment. | |
| Force | Write | Boolean | Specifies to explicitly assign only the identities defined | |
| Ensure | Write | String | Desired state of resource. | Present, Absent |