Using a least privilege user account for vRanger

I was recently configuring a vRanger deployment to which I wanted to configure the service account running the various services to run under the context of a least privelage user.

The service account will require log on as a service permissions, db_owner permissions to the vRanger database on the SQL Server instance and also write access to the repositories you have configured.

For reference of the required privelages for the vCenter installation, the following was obtained from the Dell support site (http://documents.software.dell.com/DOC21485).

vRangerPermissions

Using Powershell to set file system access control list entries

As part of an automation task I was required to set access control list (ACL) permissions on a folder created. In order to achieve this I create a script block in powershell.

In my example, I had to assign Modify permissions for a security group to a directory. In this example, I will be assigning the security group ‘DOMAIN\Finance_Users’ modify permissions to the directory ‘D:\Budget’.

Firstly, we will need to get the objects that represent the security descriptor , which contains the ACL of the  directory;

$Acl = Get-Acl D:\Budget

Now we need to specify the permissions we require to add to the folder for the particular security group into a variable we will pass to the FileSystemAccessRule class and store in a second variable;

$Permission = (“DOMAIN\Finance_Users”,”Modify”,”ContainerInherit,ObjectInherit”,”None”,”Allow”)
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission

Once the permission has been applied we can change the security descriptor of the directory to match the values specified in the above variables;

$Acl.SetAccessRule($AccessRule)
$Acl | Set-Acl D:\Budget

For more information on the FileSystemAccessRule class, see http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule.aspx