-
Notifications
You must be signed in to change notification settings - Fork 227
Deny‑SqlDscServerPermission
dscbot edited this page Jan 5, 2026
·
3 revisions
Denies server permissions to a principal on a SQL Server Database Engine instance.
Deny-SqlDscServerPermission -Login <Login> -Permission <SqlServerPermission[]> [-Force]
[-WhatIf] [-Confirm] [<CommonParameters>]
Deny-SqlDscServerPermission -ServerRole <ServerRole> -Permission <SqlServerPermission[]> [-Force]
[-WhatIf] [-Confirm] [<CommonParameters>]
This command denies server permissions to an existing principal on a SQL Server Database Engine instance. The principal can be specified as either a Login object (from Get-SqlDscLogin) or a ServerRole object (from Get-SqlDscRole).
$serverInstance = Connect-SqlDscDatabaseEngine
$login = $serverInstance | Get-SqlDscLogin -Name 'MyLogin'
Deny-SqlDscServerPermission -Login $login -Permission ConnectSql, ViewServerState
Denies the specified permissions to the login 'MyLogin'.
$serverInstance = Connect-SqlDscDatabaseEngine
$role = $serverInstance | Get-SqlDscRole -Name 'MyRole'
$role | Deny-SqlDscServerPermission -Permission AlterAnyDatabase -Force
Denies the specified permissions to the role 'MyRole' without prompting for confirmation.
Specifies that the permissions should be denied without any confirmation.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the Login object for which the permissions are denied. This parameter accepts pipeline input.
Type: Login
Parameter Sets: Login
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the permissions to be denied. Specify multiple permissions by providing an array of SqlServerPermission enum values.
Type: SqlServerPermission[]
Parameter Sets: (All)
Aliases:
Accepted values: AdministerBulkOperations, AlterAnyAvailabilityGroup, AlterAnyConnection, AlterAnyCredential, AlterAnyDatabase, AlterAnyEndpoint, AlterAnyEventNotification, AlterAnyEventSession, AlterAnyEventSessionAddEvent, AlterAnyEventSessionAddTarget, AlterAnyEventSessionDisable, AlterAnyEventSessionDropEvent, AlterAnyEventSessionDropTarget, AlterAnyEventSessionEnable, AlterAnyEventSessionOption, AlterAnyLinkedServer, AlterAnyLogin, AlterAnyServerAudit, AlterAnyServerRole, AlterResources, AlterServerState, AlterSettings, AlterTrace, AuthenticateServer, ConnectAnyDatabase, ConnectSql, ControlServer, CreateAnyDatabase, CreateAnyEventSession, CreateAvailabilityGroup, CreateDdlEventNotification, CreateEndpoint, CreateLogin, CreateServerRole, CreateTraceEventNotification, DropAnyEventSession, ExternalAccessAssembly, ImpersonateAnyLogin, SelectAllUserSecurables, Shutdown, UnsafeAssembly, ViewAnyCryptographicallySecuredDefinition, ViewAnyDatabase, ViewAnyDefinition, ViewAnyErrorLog, ViewAnyPerformanceDefinition, ViewAnySecurityDefinition, ViewServerPerformanceState, ViewServerSecurityAudit, ViewServerSecurityState, ViewServerState
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the ServerRole object for which the permissions are denied. This parameter accepts pipeline input.
Type: ServerRole
Parameter Sets: ServerRole
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalsePrompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseShows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
The Login or ServerRole object must come from the same SQL Server instance
where the permissions will be denied.
If specifying -ErrorAction 'SilentlyContinue'
then the command will silently continue if any errors occur.
If specifying
-ErrorAction 'Stop' the command will throw an error on any failure.
- Add-SqlDscFileGroup
- Add-SqlDscNode
- Add-SqlDscRSSslCertificateBinding
- Add-SqlDscRSUrlReservation
- Add-SqlDscTraceFlag
- Assert-SqlDscAgentOperator
- Assert-SqlDscLogin
- Backup-SqlDscDatabase
- Backup-SqlDscRSEncryptionKey
- Complete-SqlDscFailoverCluster
- Complete-SqlDscImage
- Connect-SqlDscDatabaseEngine
- ConvertFrom-SqlDscDatabasePermission
- ConvertFrom-SqlDscServerPermission
- ConvertTo-SqlDscDatabasePermission
- ConvertTo-SqlDscDataFile
- ConvertTo-SqlDscEditionName
- ConvertTo-SqlDscFileGroup
- ConvertTo-SqlDscServerPermission
- Deny-SqlDscServerPermission
- Disable-SqlDscAgentOperator
- Disable-SqlDscAudit
- Disable-SqlDscDatabaseSnapshotIsolation
- Disable-SqlDscLogin
- Disable-SqlDscRsSecureConnection
- Disconnect-SqlDscDatabaseEngine
- Enable-SqlDscAgentOperator
- Enable-SqlDscAudit
- Enable-SqlDscDatabaseSnapshotIsolation
- Enable-SqlDscLogin
- Enable-SqlDscRsSecureConnection
- Get-SqlDscAgentAlert
- Get-SqlDscAgentOperator
- Get-SqlDscAudit
- Get-SqlDscBackupFileList
- Get-SqlDscCompatibilityLevel
- Get-SqlDscConfigurationOption
- Get-SqlDscDatabase
- Get-SqlDscDatabasePermission
- Get-SqlDscDateTime
- Get-SqlDscInstalledInstance
- Get-SqlDscLogin
- Get-SqlDscManagedComputer
- Get-SqlDscManagedComputerInstance
- Get-SqlDscManagedComputerService
- Get-SqlDscPreferredModule
- Get-SqlDscRole
- Get-SqlDscRSConfigFile
- Get-SqlDscRSConfiguration
- Get-SqlDscRSDatabaseInstallation
- Get-SqlDscRSExecutionLog
- Get-SqlDscRSIPAddress
- Get-SqlDscRSLogPath
- Get-SqlDscRSPackage
- Get-SqlDscRSServiceAccount
- Get-SqlDscRSSetupConfiguration
- Get-SqlDscRSSslCertificate
- Get-SqlDscRSSslCertificateBinding
- Get-SqlDscRSUrl
- Get-SqlDscRSUrlReservation
- Get-SqlDscRSVersion
- Get-SqlDscRSWebPortalApplicationName
- Get-SqlDscServerPermission
- Get-SqlDscServerProtocol
- Get-SqlDscServerProtocolName
- Get-SqlDscServerProtocolTcpIp
- Get-SqlDscSetupLog
- Get-SqlDscStartupParameter
- Get-SqlDscTraceFlag
- Grant-SqlDscServerPermission
- Import-SqlDscPreferredModule
- Initialize-SqlDscFailoverCluster
- Initialize-SqlDscImage
- Initialize-SqlDscRebuildDatabase
- Initialize-SqlDscRS
- Install-SqlDscFailoverCluster
- Install-SqlDscPowerBIReportServer
- Install-SqlDscReportingService
- Install-SqlDscServer
- Invoke-SqlDscQuery
- Invoke-SqlDscScalarQuery
- New-SqlDscAgentAlert
- New-SqlDscAgentOperator
- New-SqlDscAudit
- New-SqlDscDatabase
- New-SqlDscDatabaseSnapshot
- New-SqlDscDataFile
- New-SqlDscFileGroup
- New-SqlDscLogin
- New-SqlDscRole
- New-SqlDscRSEncryptionKey
- Remove-SqlDscAgentAlert
- Remove-SqlDscAgentOperator
- Remove-SqlDscAudit
- Remove-SqlDscDatabase
- Remove-SqlDscLogin
- Remove-SqlDscNode
- Remove-SqlDscRole
- Remove-SqlDscRSEncryptedInformation
- Remove-SqlDscRSEncryptionKey
- Remove-SqlDscRSSslCertificateBinding
- Remove-SqlDscRSUnattendedExecutionAccount
- Remove-SqlDscRSUrlReservation
- Remove-SqlDscTraceFlag
- Repair-SqlDscPowerBIReportServer
- Repair-SqlDscReportingService
- Repair-SqlDscServer
- Request-SqlDscRSDatabaseRightsScript
- Request-SqlDscRSDatabaseScript
- Request-SqlDscRSDatabaseUpgradeScript
- Restart-SqlDscRSService
- Restore-SqlDscDatabase
- Restore-SqlDscRSEncryptionKey
- Resume-SqlDscDatabase
- Revoke-SqlDscServerPermission
- Save-SqlDscSqlServerMediaFile
- Set-SqlDscAgentAlert
- Set-SqlDscAgentOperator
- Set-SqlDscAudit
- Set-SqlDscConfigurationOption
- Set-SqlDscDatabaseDefault
- Set-SqlDscDatabaseOwner
- Set-SqlDscDatabasePermission
- Set-SqlDscDatabaseProperty
- Set-SqlDscRSDatabaseConnection
- Set-SqlDscRSDatabaseTimeout
- Set-SqlDscRSServiceAccount
- Set-SqlDscRSSmtpConfiguration
- Set-SqlDscRSSslCertificateBinding
- Set-SqlDscRSUnattendedExecutionAccount
- Set-SqlDscRSUrlReservation
- Set-SqlDscRSVirtualDirectory
- Set-SqlDscServerPermission
- Set-SqlDscStartupParameter
- Set-SqlDscTraceFlag
- Start-SqlDscRSWebService
- Start-SqlDscRSWindowsService
- Stop-SqlDscRSWebService
- Stop-SqlDscRSWindowsService
- Suspend-SqlDscDatabase
- Test-SqlDscAgentAlertProperty
- Test-SqlDscBackupFile
- Test-SqlDscConfigurationOption
- Test-SqlDscDatabaseProperty
- Test-SqlDscIsAgentAlert
- Test-SqlDscIsAgentOperator
- Test-SqlDscIsDatabase
- Test-SqlDscIsDatabasePrincipal
- Test-SqlDscIsLogin
- Test-SqlDscIsLoginEnabled
- Test-SqlDscIsRole
- Test-SqlDscIsSupportedFeature
- Test-SqlDscRSAccessible
- Test-SqlDscRSInitialized
- Test-SqlDscRSInstalled
- Test-SqlDscServerPermission
- Uninstall-SqlDscPowerBIReportServer
- Uninstall-SqlDscReportingService
- Uninstall-SqlDscServer
- Update-SqlDscServer
- Update-SqlDscServerEdition
- Change Report Server Service Account
- Deploy Power BI Report Server
- Setting up a SQL Server AlwaysOn Availability Groups
- Setting up a SQL Server Failover Cluster
- Troubleshooting Report Server
- SqlAG
- SqlAGDatabase
- SqlAgentAlert
- SqlAgentFailsafe
- SqlAgentOperator
- SqlAGListener
- SqlAGReplica
- SqlAlias
- SqlAlwaysOnService
- SqlAudit
- SqlConfiguration
- SqlDatabase
- SqlDatabaseDefaultLocation
- SqlDatabaseMail
- SqlDatabaseObjectPermission
- SqlDatabasePermission
- SqlDatabaseRole
- SqlDatabaseUser
- SqlEndpoint
- SqlEndpointPermission
- SqlLogin
- SqlMaxDop
- SqlMemory
- SqlPermission
- SqlProtocol
- SqlProtocolTcpIp
- SqlReplication
- SqlRole
- SqlRS
- SqlRSSetup
- SqlScript
- SqlScriptQuery
- SqlSecureConnection
- SqlServiceAccount
- SqlSetup
- SqlTraceFlag
- SqlWaitForAG
- SqlWindowsFirewall