Set-DbaPrivilege - Fix blank security policy entry updates (review of #10235)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: potatoqualitee

docs/trackers/features/commit-bug-review-TRACKER.md

@@ -71,7 +71,7 @@ Find real bugs (logic errors, null refs, incorrect behavior) and fix them. Skip
 | 0ee03fc32 | New-DbaAgentJobStep - Fix OnFailAction ValidateSet order to match actual default (#10244) | DONE | Reviewed parameter metadata-only ValidateSet reorder; no bugs found. |
 | 63c906f9d | Set-DbaDbCompression - Add SortInTempDB parameter and fix views T-SQL bug (#10248) | DONE | Fixed indexed-view output/error metadata to use the view name instead of a stale table reference; added integration regression test. |
 | 4d1a9d80c | v2.7.27 | DONE | version bump - skip |
-| 232395207 | Set-DbaPrivilege, Get-DbaPrivilege - Add CreateGlobalObjects privilege support (#10235) | PENDING | |
+| 232395207 | Set-DbaPrivilege, Get-DbaPrivilege - Add CreateGlobalObjects privilege support (#10235) | DONE | Fixed empty privilege-entry updates so Set-DbaPrivilege still grants rights when secedit exports a blank line; added unit regression test. |
 | 099624061 | Get-DbaDbRestoreHistory - Add BackupStartDate, StopAt, and LastRestorePoint columns (#10249) | PENDING | |
 | 4f1e56ce4 | New-DbaDbMailAccount, Set-DbaDbMailAccount - Add Port, SSL, and authentication parameters (#10257) | PENDING | |
 | 8218d327e | Restore-DbaDatabase, Invoke-DbaAdvancedRestore - Add ErrorBrokerConversations parameter (#10253) | PENDING | |

public/Set-DbaPrivilege.ps1

@@ -133,7 +133,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Batch Logon Privileges on $env:ComputerName"
                                         } elseif ($BLline -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeBatchLogonRight = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeBatchLogonRight = ", "SeBatchLogonRight = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Batch Logon Privileges on $env:ComputerName"
@@ -156,7 +156,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Instant File Initialization Privileges on $env:ComputerName"
                                         } elseif ($IFIline -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeManageVolumePrivilege = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeManageVolumePrivilege = ", "SeManageVolumePrivilege = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Instant File Initialization Privileges on $env:ComputerName"
@@ -179,7 +179,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Lock Pages in Memory Privileges on $env:ComputerName"
                                         } elseif ($LPIMline -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeLockMemoryPrivilege = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeLockMemoryPrivilege = ", "SeLockMemoryPrivilege = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Lock Pages in Memory Privileges on $env:ComputerName"
@@ -202,7 +202,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Security Log Privileges on $env:ComputerName"
                                         } elseif ($SALine -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeAuditPrivilege = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeAuditPrivilege = ", "SeAuditPrivilege = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Write to Security Log Privileges on $env:ComputerName"
@@ -223,7 +223,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Service Logon Privileges on $env:ComputerName"
                                         } elseif ($SLline -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeServiceLogonRight = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeServiceLogonRight = ", "SeServiceLogonRight = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Service Logon Privileges on $env:ComputerName"
@@ -244,7 +244,7 @@ function Convert-UserNameToSID ([string] `$Acc ) {
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Create Global Objects Privileges on $env:ComputerName"
                                         } elseif ($CGOline -notmatch $SID) {
-                                            (Get-Content $tempfile) -replace "(SeCreateGlobalPrivilege = .+)", "`$1,*$SID" |
+                                            (Get-Content $tempfile) -replace "SeCreateGlobalPrivilege = ", "SeCreateGlobalPrivilege = *$SID," |
                                                 Set-Content $tempfile
                                             <# DO NOT use Write-Message as this is inside of a script block #>
                                             Write-Verbose "Added $acc to Create Global Objects Privileges on $env:ComputerName"
@@ -270,4 +270,4 @@ function Convert-UserNameToSID ([string] `$Acc ) {
             }
         }
     }
-}
+}

tests/Set-DbaPrivilege.Tests.ps1

@@ -21,8 +21,73 @@ Describe $CommandName -Tag UnitTests {
         }
     }
 }
+
+InModuleScope dbatools {
+    Describe "Set-DbaPrivilege regressions" -Tag UnitTests {
+        BeforeAll {
+            function secedit {
+                param(
+                    [Parameter(ValueFromRemainingArguments)]
+                    [object[]]$ArgumentList
+                )
+            }
+        }
+
+        BeforeEach {
+            $script:policyFile = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath "secpolByDbatools.cfg"
+            $script:capturedPolicyContent = $null
+
+            Mock Test-ElevationRequirement { $true }
+            Mock Test-PSRemoting { $true }
+            Mock Invoke-Command2 {
+                param(
+                    $ComputerName,
+                    $Credential,
+                    $ScriptBlock,
+                    $ArgumentList
+                )
+
+                if ($ScriptBlock.ToString() -match "secedit /export /cfg") {
+                    Set-Content -Path $script:policyFile -Value @(
+                        "[Privilege Rights]"
+                        "SeCreateGlobalPrivilege = "
+                    )
+                    return
+                }
+
+                if ($ArgumentList.Count -gt 0) {
+                    & $ScriptBlock @ArgumentList
+                    $script:capturedPolicyContent = Get-Content -Path $script:policyFile
+                    return
+                }
+
+                Remove-Item -Path $script:policyFile -Force -ErrorAction SilentlyContinue
+            }
+        }
+
+        AfterEach {
+            Remove-Item -Path $script:policyFile -Force -ErrorAction SilentlyContinue
+        }
+
+        It "adds CreateGlobalObjects when the privilege entry exists but is empty" {
+            $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+            $expectedSid = ([System.Security.Principal.NTAccount]$user).Translate([System.Security.Principal.SecurityIdentifier]).Value
+
+            $splatSetPrivilege = @{
+                ComputerName = $env:COMPUTERNAME
+                Type         = "CreateGlobalObjects"
+                User         = $user
+                Confirm      = $false
+            }
+            $null = Set-DbaPrivilege @splatSetPrivilege
+
+            ($script:capturedPolicyContent | Where-Object { $PSItem -match "^SeCreateGlobalPrivilege" }) |
+                Should -Match "^SeCreateGlobalPrivilege = \*$([regex]::Escape($expectedSid))(,)?$"
+        }
+    }
+}
 <#
     Integration test should appear below and are custom to the command you are writing.
     Read https://github.com/dataplat/dbatools/blob/development/contributing.md#tests
     for more guidence.
-#>
+#>