dbatoolsGet-DbaPrivilege
View SourceSynopsis
Retrieves Windows security privileges critical for SQL Server performance from target computers.
Description
Audits five Windows privileges that directly impact SQL Server performance and functionality: Lock Pages in Memory, Instant File Initialization, Logon as Batch, Generate Security Audits, and Logon as a Service. These privileges are essential for SQL Server service accounts to achieve optimal performance and proper operation.
Use this to verify that SQL Server service accounts have the necessary Windows privileges configured, troubleshoot performance issues related to missing privileges, or audit security configurations across your SQL Server environment. The function exports the local security policy using secedit and parses the results to show which users and groups hold these critical privileges.
Requires Local Admin rights on destination computer(s).
Syntax
Get-DbaPrivilege
[[-ComputerName] <DbaInstanceParameter[]>]
[[-Credential] <PSCredential>]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Get-DbaPrivilege -ComputerName sqlserver2014a
Gets the local privileges on computer sqlserver2014a.
Example: 2
PS C:\> 'sql1','sql2','sql3' | Get-DbaPrivilege
Gets the local privileges on computers sql1, sql2 and sql3.
Example: 3
PS C:\> Get-DbaPrivilege -ComputerName sql1,sql2 | Out-GridView
Gets the local privileges on computers sql1 and sql2, and shows them in a grid view.
Optional Parameters
-ComputerName
Specifies the target computer names where you want to audit Windows privileges. Accepts multiple computer names for bulk privilege auditing.
Use this to check privilege configurations on SQL Server host machines, especially when troubleshooting performance issues related to missing Lock Pages in Memory or Instant File Initialization
rights.
| Property | Value |
|---|---|
| Alias | cn,host,Server |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value | $env:COMPUTERNAME |
-Credential
Credential object used to connect to the computer as a different user.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
PSCustomObject
Returns one object per unique user or group found across the five Windows security privileges being audited.
Properties:
- ComputerName: The name of the computer where the privilege audit was performed
- User: The user or group account name; converted from SID to account name if applicable
- LogonAsBatch: Boolean indicating if the user has SeBatchLogonRight privilege
- InstantFileInitialization: Boolean indicating if the user has SeManageVolumePrivilege (Instant File Initialization)
- LockPagesInMemory: Boolean indicating if the user has SeLockMemoryPrivilege
- GenerateSecurityAudit: Boolean indicating if the user has SeAuditPrivilege
- LogonAsAService: Boolean indicating if the user has SeServiceLogonRight privilege