I. What exactly are MSA or gMSA<\/u><\/strong><\/h2>\n\n\n\nMSA (Managed Service Accounts) or gMSA (group Managed Service Accounts) are Active Directory Managed Accounts used to start services (Service Accounts).<\/p>\n\n\n\n
They have several advantages though they are still not permanently used (at least from what I saw at most of my customers).<\/p>\n\n\n\n
\n- They are linked to a single server (MSA) or to a group of Server (gMSA) and cannot be used on other server than the ones they are dedicated to.<\/li>\n\n\n\n
- They cannot be used to gain access to the server as they can’t be used to login (no privilege escalation is possible).<\/li>\n<\/ul>\n\n\n\n
They simplify the management of Service Principle Names (SPN) as the SPN for the related service is automatically generated when the service starts the first time.
This is obviously a huge advantage in terms of security as Kerberos Authentication is factually running on the go.<\/p>\n<\/div><\/div>\n\n\n\n
II. Implementation \/ Configuration of MSA\/gMSA<\/h2>\n\n\n\n\nII.1 Prerequisites:<\/strong><\/p>\n\n\n\nIn order to create a MSA or a gMSA you will need to go the Powershell way.<\/p>\n\n\n\n
Normally the setup will be performed on a Server which is not an AD Server.<\/p>\n\n\n\n
Therefore the first step will be to install the RSAT Tools:<\/p>\n\n\n\n
On Windows Server:<\/p>\n\n\n\n
Install-WindowsFeature RSAT-AD-PowerShell<\/p>\n\n\n\n
On Windows 10\/11: Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools -Online<\/p>\n\n\n\n
The creation of both types can easily be performed with simple scripts though this requires AD Admin permissions (or at least a delegation for creating Accounts)<\/p>\n<\/div><\/div>\n\n\n\n
\nII.2 Create a MSA:<\/strong><\/p>\n\n\n\nNew-ADServiceAccount -Name NAME -Enabled $true -Description “Managed Service Account for xxxx” -DisplayName “MSA 1 \u2013 xxxx” -RestrictToSingleComputer<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/06\/image-5.png\")
<\/figure>\n\n\n\nOnce the account got created, it will be added in Active Directory under Managed Service Accounts:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/06\/image-6.png\")
<\/figure>\n<\/div><\/div>\n\n\n\n\nII.3 Create a gMSA:<\/strong><\/p>\n\n\n\ngMSA creation is slightful different as there\u2019s a need to create the Account and grant the defined computer Objects to use it. Fortunately, this can als easily be done with a single PS Query:<\/p>\n\n\n\n
New-ADServiceAccount -Name msa_exhib2 -DNSHostName DNS Server -PrincipalsAllowedToRetrieveManagedPassword Server1$, Server2$<\/strong><\/p>\n\n\n\nHere it is important to add the $ sign at the end of the device name as the query gives the permissions to the Computer Object.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/06\/image-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/06\/image-8.png\")
<\/figure>\n<\/div><\/div>\n\n\n\nIII. Installation and Usage of the MSA \/ gMSA:<\/h2>\n\n\n\n\nIII.1 Installation of the created Account<\/strong><\/p>\n\n\n\nOnce the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n
Install-ADServiceAccount -Identity ServiceName<\/p>\n\n\n\n
Be Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n
Once the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n
Install-ADServiceAccount -Identity ServiceName<\/strong><\/p>\n\n\n\nBe Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/06\/image-9.png\")
<\/figure>\n\n\n\nIf the action gets confirmed, the MSA will be removed from it\u2019s original server and the services relying on it will be stopped.<\/mark><\/p>\n\n\n\nThe issue will not exist with gMSA as it can be installed on all Server \/ Computer which have been granted the access to it.<\/p>\n<\/div><\/div>\n\n\n\n
\nIII.2 Grant the permissions to the MSA \/ gMSA<\/strong><\/p>\n\n\n\nThe created accounts need to be granted segregated permissions. As my Colleague St\u00e9phane Haby<\/a> already mentioned in this Article<\/a>, for security reasons a SQL Server Service Account should never be granted the Local Administrator Permissions.<\/p>\n\n\n\nThis can be performed on several ways:<\/p>\n\n\n\n
\n\n\n- GPO: This requires the Domain Architect to define the GPOs properly<\/li>\n\n\n\n
- By managing the Local Security Policies:<\/li>\n<\/ul>\n\n\n\n
Under Local Policies\\User Rights Assignment add the created account to all relevant permissions (Basically, for a SQL Server: Logon as a Batch Job, Logon as a service, Perform Volume Maintenance Tasks (eventually Lock Pages in Memory if this is required by the software using MSSQL)<\/p>\n\n\n\n
\n- By using a powershell script:<\/li>\n<\/ul>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n
# Variables used - change as required\n$TempLocation = \"C:\\Service\"\n$SQLServiceAccount = $ServiceName #Account used for the SQL Service\n\n## This lines are required to change in the cfg file\n$ChangeFrom = \"SeManageVolumePrivilege = \"\n$ChangeFrom2 = \"SeLockMemoryPrivilege = \"\n$ChangeFrom3 = \"SeBatchLogonRight = \"\n$ChangeFrom4 = \"SeServiceLogonRight = \"\n$ChangeFrom5 = \"SeAuditPrivilege = \"\n\n## Build the new lines \n$ChangeTo = \"SeManageVolumePrivilege = $SQLServiceAccount,\"\n$ChangeTo2 = \"SeLockMemoryPrivilege = $SQLServiceAccount,\"\n$ChangeTo3 = \"SeBatchLogonRight = $SQLServiceAccount,\"\n$ChangeTo4 = \"SeServiceLogonRight = $SQLServiceAccount,\"\n$ChangeTo5 = \"SeAuditPrivilege = $SQLServiceAccount,\"\n\n\n## Set a name for the Security Policy cfg file.\n$fileName = \"$TempLocation\\SecPolExport.cfg\"\n\n## export currect Security Policy config\nWrite-Host \"Exporting Security Policy to file: $filename\"\nsecedit \/export \/cfg $filename\nCopy-Item $filename -Destination \"$filename.save_before\"\nWrite-Host \"make a copy of initial Security policy export: $filename.save_before\"\nWrite-Host \"start to modify Security Policy Export file\"\n\n## delete the last 4 lines in the export file; this is needed if some attrubutes are not yet set and they are added at the end of the file; after this end-section (last 4 lines) the secpol is not importing it, so delete these values and add them at the end of the script\n$content = get-content $filename\n$content[0..($content.length-4)] | out-file $filename\n\n\n# Use Get-Content to change the text in the cfg file and then save it\n\n# As the line for the option only exists if there is something already in the group\n# this will check for it and add your $SQLServiceAccount or use Add-Contect to append option and your $SQLServiceAccount\n\n#Option SeManageVolumePrivilege (Perform maintenance volumne tasks)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeManageVolumePrivilege\") })\n{\nWrite-Host \"Appending line containing SeManageVolumePrivilege with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom, $ChangeTo | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeManageVolumePrivilege\"\nAdd-Content $filename \"`nSeManageVolumePrivilege = $SQLServiceAccount\"\n}\n\n## Option SeLockMemoryPrivilege (Lock Pages in Memory)\n## This is optinal depending on the requirements\n## IF ((Get-Content $fileName) | where { $_.Contains(\"SeLockMemoryPrivilege\") })\n## {\n## Write-Host \"Appending line containing SeLockMemoryPrivilege with $SQLServiceAccount\"\n## (Get-Content $fileName) -replace $ChangeFrom2, $ChangeTo2 | Set-Content $fileName\n## }\n## else\n## {\n## Write-Host \"Adding new line containing SeLockMemoryPrivilege\"\n## Add-Content $filename \"`nSeLockMemoryPrivilege = $SQLServiceAccount\"\n## }\n\n#Option SeBatchLogonRight (Log on as Batch job)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeBatchLogonRight\") })\n{\nWrite-Host \"Appending line containing SeBatchLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom3, $ChangeTo3 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeBatchLogonRight\"\nAdd-Content $filename \"`nSeBatchLogonRight = $SQLServiceAccount\"\n}\n\n\n#Option SeServiceLogonRight (log on as a service)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeServiceLogonRight\") })\n{\nWrite-Host \"Appending line containing SeServiceLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom4, $ChangeTo4 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeServiceLogonRight\"\nAdd-Content $filename \"`nSeServiceLogonRight = $SQLServiceAccount\"\n}<\/code><\/pre>\n<\/div><\/div>\n\n\n\n
They simplify the management of Service Principle Names (SPN) as the SPN for the related service is automatically generated when the service starts the first time.
This is obviously a huge advantage in terms of security as Kerberos Authentication is factually running on the go.<\/p>\n<\/div><\/div>\n\n\n\n
II. Implementation \/ Configuration of MSA\/gMSA<\/h2>\n\n\n\n\nII.1 Prerequisites:<\/strong><\/p>\n\n\n\nIn order to create a MSA or a gMSA you will need to go the Powershell way.<\/p>\n\n\n\n
Normally the setup will be performed on a Server which is not an AD Server.<\/p>\n\n\n\n
Therefore the first step will be to install the RSAT Tools:<\/p>\n\n\n\n
On Windows Server:<\/p>\n\n\n\n
Install-WindowsFeature RSAT-AD-PowerShell<\/p>\n\n\n\n
On Windows 10\/11: Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools -Online<\/p>\n\n\n\n
The creation of both types can easily be performed with simple scripts though this requires AD Admin permissions (or at least a delegation for creating Accounts)<\/p>\n<\/div><\/div>\n\n\n\n
\nII.2 Create a MSA:<\/strong><\/p>\n\n\n\nNew-ADServiceAccount -Name NAME -Enabled $true -Description “Managed Service Account for xxxx” -DisplayName “MSA 1 \u2013 xxxx” -RestrictToSingleComputer<\/strong><\/p>\n\n\n\n<\/figure>\n\n\n\nOnce the account got created, it will be added in Active Directory under Managed Service Accounts:<\/p>\n\n\n\n<\/figure>\n<\/div><\/div>\n\n\n\n\nII.3 Create a gMSA:<\/strong><\/p>\n\n\n\ngMSA creation is slightful different as there\u2019s a need to create the Account and grant the defined computer Objects to use it. Fortunately, this can als easily be done with a single PS Query:<\/p>\n\n\n\n
New-ADServiceAccount -Name msa_exhib2 -DNSHostName DNS Server -PrincipalsAllowedToRetrieveManagedPassword Server1$, Server2$<\/strong><\/p>\n\n\n\nHere it is important to add the $ sign at the end of the device name as the query gives the permissions to the Computer Object.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n<\/div><\/div>\n\n\n\nIII. Installation and Usage of the MSA \/ gMSA:<\/h2>\n\n\n\n\nIII.1 Installation of the created Account<\/strong><\/p>\n\n\n\nOnce the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n
Install-ADServiceAccount -Identity ServiceName<\/p>\n\n\n\n
Be Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n
Once the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n
Install-ADServiceAccount -Identity ServiceName<\/strong><\/p>\n\n\n\nBe Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n<\/figure>\n\n\n\nIf the action gets confirmed, the MSA will be removed from it\u2019s original server and the services relying on it will be stopped.<\/mark><\/p>\n\n\n\nThe issue will not exist with gMSA as it can be installed on all Server \/ Computer which have been granted the access to it.<\/p>\n<\/div><\/div>\n\n\n\n
\nIII.2 Grant the permissions to the MSA \/ gMSA<\/strong><\/p>\n\n\n\nThe created accounts need to be granted segregated permissions. As my Colleague St\u00e9phane Haby<\/a> already mentioned in this Article<\/a>, for security reasons a SQL Server Service Account should never be granted the Local Administrator Permissions.<\/p>\n\n\n\nThis can be performed on several ways:<\/p>\n\n\n\n
\n\n\n- GPO: This requires the Domain Architect to define the GPOs properly<\/li>\n\n\n\n
- By managing the Local Security Policies:<\/li>\n<\/ul>\n\n\n\n
Under Local Policies\\User Rights Assignment add the created account to all relevant permissions (Basically, for a SQL Server: Logon as a Batch Job, Logon as a service, Perform Volume Maintenance Tasks (eventually Lock Pages in Memory if this is required by the software using MSSQL)<\/p>\n\n\n\n
\n- By using a powershell script:<\/li>\n<\/ul>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n
# Variables used - change as required\n$TempLocation = \"C:\\Service\"\n$SQLServiceAccount = $ServiceName #Account used for the SQL Service\n\n## This lines are required to change in the cfg file\n$ChangeFrom = \"SeManageVolumePrivilege = \"\n$ChangeFrom2 = \"SeLockMemoryPrivilege = \"\n$ChangeFrom3 = \"SeBatchLogonRight = \"\n$ChangeFrom4 = \"SeServiceLogonRight = \"\n$ChangeFrom5 = \"SeAuditPrivilege = \"\n\n## Build the new lines \n$ChangeTo = \"SeManageVolumePrivilege = $SQLServiceAccount,\"\n$ChangeTo2 = \"SeLockMemoryPrivilege = $SQLServiceAccount,\"\n$ChangeTo3 = \"SeBatchLogonRight = $SQLServiceAccount,\"\n$ChangeTo4 = \"SeServiceLogonRight = $SQLServiceAccount,\"\n$ChangeTo5 = \"SeAuditPrivilege = $SQLServiceAccount,\"\n\n\n## Set a name for the Security Policy cfg file.\n$fileName = \"$TempLocation\\SecPolExport.cfg\"\n\n## export currect Security Policy config\nWrite-Host \"Exporting Security Policy to file: $filename\"\nsecedit \/export \/cfg $filename\nCopy-Item $filename -Destination \"$filename.save_before\"\nWrite-Host \"make a copy of initial Security policy export: $filename.save_before\"\nWrite-Host \"start to modify Security Policy Export file\"\n\n## delete the last 4 lines in the export file; this is needed if some attrubutes are not yet set and they are added at the end of the file; after this end-section (last 4 lines) the secpol is not importing it, so delete these values and add them at the end of the script\n$content = get-content $filename\n$content[0..($content.length-4)] | out-file $filename\n\n\n# Use Get-Content to change the text in the cfg file and then save it\n\n# As the line for the option only exists if there is something already in the group\n# this will check for it and add your $SQLServiceAccount or use Add-Contect to append option and your $SQLServiceAccount\n\n#Option SeManageVolumePrivilege (Perform maintenance volumne tasks)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeManageVolumePrivilege\") })\n{\nWrite-Host \"Appending line containing SeManageVolumePrivilege with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom, $ChangeTo | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeManageVolumePrivilege\"\nAdd-Content $filename \"`nSeManageVolumePrivilege = $SQLServiceAccount\"\n}\n\n## Option SeLockMemoryPrivilege (Lock Pages in Memory)\n## This is optinal depending on the requirements\n## IF ((Get-Content $fileName) | where { $_.Contains(\"SeLockMemoryPrivilege\") })\n## {\n## Write-Host \"Appending line containing SeLockMemoryPrivilege with $SQLServiceAccount\"\n## (Get-Content $fileName) -replace $ChangeFrom2, $ChangeTo2 | Set-Content $fileName\n## }\n## else\n## {\n## Write-Host \"Adding new line containing SeLockMemoryPrivilege\"\n## Add-Content $filename \"`nSeLockMemoryPrivilege = $SQLServiceAccount\"\n## }\n\n#Option SeBatchLogonRight (Log on as Batch job)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeBatchLogonRight\") })\n{\nWrite-Host \"Appending line containing SeBatchLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom3, $ChangeTo3 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeBatchLogonRight\"\nAdd-Content $filename \"`nSeBatchLogonRight = $SQLServiceAccount\"\n}\n\n\n#Option SeServiceLogonRight (log on as a service)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeServiceLogonRight\") })\n{\nWrite-Host \"Appending line containing SeServiceLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom4, $ChangeTo4 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeServiceLogonRight\"\nAdd-Content $filename \"`nSeServiceLogonRight = $SQLServiceAccount\"\n}<\/code><\/pre>\n<\/div><\/div>\n\n\n\n
II.1 Prerequisites:<\/strong><\/p>\n\n\n\n In order to create a MSA or a gMSA you will need to go the Powershell way.<\/p>\n\n\n\n Normally the setup will be performed on a Server which is not an AD Server.<\/p>\n\n\n\n Therefore the first step will be to install the RSAT Tools:<\/p>\n\n\n\n On Windows Server:<\/p>\n\n\n\n Install-WindowsFeature RSAT-AD-PowerShell<\/p>\n\n\n\n On Windows 10\/11: Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools -Online<\/p>\n\n\n\n The creation of both types can easily be performed with simple scripts though this requires AD Admin permissions (or at least a delegation for creating Accounts)<\/p>\n<\/div><\/div>\n\n\n\n II.2 Create a MSA:<\/strong><\/p>\n\n\n\n New-ADServiceAccount -Name NAME -Enabled $true -Description “Managed Service Account for xxxx” -DisplayName “MSA 1 \u2013 xxxx” -RestrictToSingleComputer<\/strong><\/p>\n\n\n\n Once the account got created, it will be added in Active Directory under Managed Service Accounts:<\/p>\n\n\n\n II.3 Create a gMSA:<\/strong><\/p>\n\n\n\n gMSA creation is slightful different as there\u2019s a need to create the Account and grant the defined computer Objects to use it. Fortunately, this can als easily be done with a single PS Query:<\/p>\n\n\n\n New-ADServiceAccount -Name msa_exhib2 -DNSHostName DNS Server -PrincipalsAllowedToRetrieveManagedPassword Server1$, Server2$<\/strong><\/p>\n\n\n\n Here it is important to add the $ sign at the end of the device name as the query gives the permissions to the Computer Object.<\/p>\n\n\n\n III.1 Installation of the created Account<\/strong><\/p>\n\n\n\n Once the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n Install-ADServiceAccount -Identity ServiceName<\/p>\n\n\n\n Be Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n Once the Account got created it will need to be installed on the target server (Requires the RSAT AD Tools to be installed as mentioned previously):<\/p>\n\n\n\n Install-ADServiceAccount -Identity ServiceName<\/strong><\/p>\n\n\n\n Be Aware that the MSA is restricted only to one server. Therefore, it can only be installed once. Trying to install it on another server will end with the error:<\/p>\n\n\n\n If the action gets confirmed, the MSA will be removed from it\u2019s original server and the services relying on it will be stopped.<\/mark><\/p>\n\n\n\n The issue will not exist with gMSA as it can be installed on all Server \/ Computer which have been granted the access to it.<\/p>\n<\/div><\/div>\n\n\n\n III.2 Grant the permissions to the MSA \/ gMSA<\/strong><\/p>\n\n\n\n The created accounts need to be granted segregated permissions. As my Colleague St\u00e9phane Haby<\/a> already mentioned in this Article<\/a>, for security reasons a SQL Server Service Account should never be granted the Local Administrator Permissions.<\/p>\n\n\n\n This can be performed on several ways:<\/p>\n\n\n\n Under Local Policies\\User Rights Assignment add the created account to all relevant permissions (Basically, for a SQL Server: Logon as a Batch Job, Logon as a service, Perform Volume Maintenance Tasks (eventually Lock Pages in Memory if this is required by the software using MSSQL)<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n<\/div><\/div>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n<\/div><\/div>\n\n\n\nIII. Installation and Usage of the MSA \/ gMSA:<\/h2>\n\n\n\n
<\/figure>\n\n\n\n\n
\n
# Variables used - change as required\n$TempLocation = \"C:\\Service\"\n$SQLServiceAccount = $ServiceName #Account used for the SQL Service\n\n## This lines are required to change in the cfg file\n$ChangeFrom = \"SeManageVolumePrivilege = \"\n$ChangeFrom2 = \"SeLockMemoryPrivilege = \"\n$ChangeFrom3 = \"SeBatchLogonRight = \"\n$ChangeFrom4 = \"SeServiceLogonRight = \"\n$ChangeFrom5 = \"SeAuditPrivilege = \"\n\n## Build the new lines \n$ChangeTo = \"SeManageVolumePrivilege = $SQLServiceAccount,\"\n$ChangeTo2 = \"SeLockMemoryPrivilege = $SQLServiceAccount,\"\n$ChangeTo3 = \"SeBatchLogonRight = $SQLServiceAccount,\"\n$ChangeTo4 = \"SeServiceLogonRight = $SQLServiceAccount,\"\n$ChangeTo5 = \"SeAuditPrivilege = $SQLServiceAccount,\"\n\n\n## Set a name for the Security Policy cfg file.\n$fileName = \"$TempLocation\\SecPolExport.cfg\"\n\n## export currect Security Policy config\nWrite-Host \"Exporting Security Policy to file: $filename\"\nsecedit \/export \/cfg $filename\nCopy-Item $filename -Destination \"$filename.save_before\"\nWrite-Host \"make a copy of initial Security policy export: $filename.save_before\"\nWrite-Host \"start to modify Security Policy Export file\"\n\n## delete the last 4 lines in the export file; this is needed if some attrubutes are not yet set and they are added at the end of the file; after this end-section (last 4 lines) the secpol is not importing it, so delete these values and add them at the end of the script\n$content = get-content $filename\n$content[0..($content.length-4)] | out-file $filename\n\n\n# Use Get-Content to change the text in the cfg file and then save it\n\n# As the line for the option only exists if there is something already in the group\n# this will check for it and add your $SQLServiceAccount or use Add-Contect to append option and your $SQLServiceAccount\n\n#Option SeManageVolumePrivilege (Perform maintenance volumne tasks)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeManageVolumePrivilege\") })\n{\nWrite-Host \"Appending line containing SeManageVolumePrivilege with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom, $ChangeTo | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeManageVolumePrivilege\"\nAdd-Content $filename \"`nSeManageVolumePrivilege = $SQLServiceAccount\"\n}\n\n## Option SeLockMemoryPrivilege (Lock Pages in Memory)\n## This is optinal depending on the requirements\n## IF ((Get-Content $fileName) | where { $_.Contains(\"SeLockMemoryPrivilege\") })\n## {\n## Write-Host \"Appending line containing SeLockMemoryPrivilege with $SQLServiceAccount\"\n## (Get-Content $fileName) -replace $ChangeFrom2, $ChangeTo2 | Set-Content $fileName\n## }\n## else\n## {\n## Write-Host \"Adding new line containing SeLockMemoryPrivilege\"\n## Add-Content $filename \"`nSeLockMemoryPrivilege = $SQLServiceAccount\"\n## }\n\n#Option SeBatchLogonRight (Log on as Batch job)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeBatchLogonRight\") })\n{\nWrite-Host \"Appending line containing SeBatchLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom3, $ChangeTo3 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeBatchLogonRight\"\nAdd-Content $filename \"`nSeBatchLogonRight = $SQLServiceAccount\"\n}\n\n\n#Option SeServiceLogonRight (log on as a service)\nIF ((Get-Content $fileName) | where { $_.Contains(\"SeServiceLogonRight\") })\n{\nWrite-Host \"Appending line containing SeServiceLogonRight with $SQLServiceAccount\"\n(Get-Content $fileName) -replace $ChangeFrom4, $ChangeTo4 | Set-Content $fileName\n}\nelse\n{\nWrite-Host \"Adding new line containing SeServiceLogonRight\"\nAdd-Content $filename \"`nSeServiceLogonRight = $SQLServiceAccount\"\n}<\/code><\/pre>\n<\/div><\/div>\n\n\n\n