Howdy - I posted a question here last week and found out that what I was trying to use for a script that I found MS posted was not valid for Windows 2003 because the Security Descriptor is not available. Instead of wasting anyone’s time I thought a new request for help would be better.
I wanted to ask anyone if they could help me with a new script that would do what I need to set WMI Namespace permissions for a service account on root\cimv2 and if possible do this on 2003, 2008, 2008r2, and even 2012 if that’s possible?
I have tried doing things found in several articles and haven’t had any luck at all. The best thing I found was the script below which states it works on 2003 but I haven’t tested it because I want to remove the items it sets for DCOM permissions but I’m not sure what they are? Then if I remove them I’m sure I’ll break the WMI portion which I need. Can someone help me possibly set this so it only sets the permissions required on root\cimv2 for servers, I have the systems in a list, obviously I can use csv or txt, but I was thinking it would be great to run this against the domain and do a search for 2003, 2008, 2008r2, and then based on the results run the proper commands to set the permissions using the right commands. The service account is for a monitoring application and it states that the WMI access required is:
Enable Account
Remote Enable
For the groups it has to be a member of dist com users, perf log users, and per mon users, but I’m using a gpo for that part. For standalone servers I wanted to have this script either determine the domain or even a separate script that would create a regular “user” account on the system, set the pwd, set it to never expire, set it to “user cant change pwd”, and then add it to the groups. What’s the best way to handle these systems?
function get-sid
{
Param (
$DSIdentity
)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
$sid = get-sid “local\maxsmart”
$SDDL = “A;;CCWP;;;$sid”
$DCOMSDDL = “A;;CCDCRP;;;$sid”
$computers = Get-Content “computers.txt”
foreach ($strcomputer in $computers)
{
$Reg = [WMIClass]“\$strcomputer\root\default:StdRegProv”
$DCOM = $Reg.GetBinaryValue(2147483650,“software\microsoft\ole”,“MachineLaunchRestriction”).uValue
$security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$binarySD = @($null)
$result = $security.PsBase.InvokeMethod(“GetSD”,$binarySD)
$outsddl = $converter.BinarySDToSDDL($binarySD[0])
$outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
$newSDDL = $outsddl.SDDL += “(” + $SDDL + “)”
$newDCOMSDDL = $outDCOMSDDL.SDDL += “(” + $DCOMSDDL + “)”
$WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
$WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
$DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
$DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
$result = $security.PsBase.InvokeMethod(“SetSD”,$WMIconvertedPermissions)
$result = $Reg.SetBinaryValue(2147483650,“software\microsoft\ole”,“MachineLaunchRestriction”, $DCOMbinarySD.binarySD)
}