DCOM objects launch permissions help.

Here is an example of what I have been doing.

$ComName = 'PrintNotify'
$dcom = Get-WMIObject Win32_DCOMApplicationSetting `
            -Filter "Description='$ComName'" -EnableAllPrivileges
$asd = $dcom.GetAccessSecurityDescriptor().Descriptor
$csd = $dcom.GetConfigurationSecurityDescriptor().Descriptor
$lsd = $dcom.GetLaunchSecurityDescriptor().Descriptor

write-host "Local Service: " $dcom.LocalService
write-host "Application ID: " $dcom.AppID
write-host "Authentication Level: " $dcom.AuthenticationLevel
write-host "Users: " $lsd.dacl.trustee.name

So what I can determine is “Authentication Level” of blank = the “default” value. If I change the Authentication to an alternate value it does provide a value.

However, the big concern is launch permissions. If I add a user and give it any single permission it now shows up as a user. If I remove all permissions it then removes the user from the DCOM object. What I can’t figure out is how to determine what permissions are assigned to each user.

So for example how would I determine that Administrators in this example is set to Local launch/activation but not remote?

Given that DCOM is pretty ancient at this point, you’re pretty much limited to what Microsoft has already provided in terms of automation - which ain’t much. I’m not sure I’m seeing a way to do what you’re asking - partially because that WMI object doesn’t recurse through inherited privileges like Administrators would have.

First, thanks for the response.

Basically, I am attempting to make a set of scripts that checks permissions for all files/registry keys/dcom etc for an entire installed product. I am leveraging accesschk.exe (from sysinternals) to pull the effective permissions of the registry and filesystem locations and got stuck trying to figure out how to pull DCOM permissions in an automated way.

Do you know of another alternate way that I could script obtaining the users/permissions from a DCOM object? (If you don’t know of the top of your head… I am going to google/bing it too :slight_smile: