Created
September 7, 2017 21:44
-
-
Save gravcat/4ceb977916c5f551cae44375296ab72a to your computer and use it in GitHub Desktop.
How to append/manipulate DCOM permission configuration via (elevated) PowerShell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <############# | |
| This was really difficult to figure out, | |
| but here's a snippet that will allow you to modify DCOM ACLs. | |
| Easily modified to touch other properties in DCOM ACL-land. | |
| #############> | |
| # get the Object based on the AppId. This example AppID belongs to the Linux Subsystem DCOM object | |
| $wmi = (Get-WmiObject -Class Win32_DCOMApplicationSetting -Filter "AppId='{e82567ae-2ea4-4dbc-bc68-8b0a0526d8d5}'" -EnableAllPrivileges) | |
| # get the Launch Descriptor object and store | |
| $descL = $wmi.GetLaunchSecurityDescriptor().descriptor | |
| # create a special object to hold trustee related information. set trustee we want to apply as the default "Administrators" group | |
| $trusteeObj = ([wmiclass]'Win32_Trustee').psbase.CreateInstance() | |
| $trusteeObj.Domain = "BUILTIN" | |
| $trusteeObj.Name = "Administrators" | |
| # create a special object to store ACL stuffs | |
| $ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance() | |
| # set the access mask we desire (Launch & Local Activation allowed). | |
| $ace.AccessMask = 11 | |
| # Set Trustee to what we created earlier then _append_ this to the existing ACL configuration. | |
| $ace.Trustee = $trusteeObj | |
| $descL.DACL += [System.Management.ManagementBaseObject]$ace | |
| # finally, use the SetLaunchSecurityDescriptor method to set all the stuff we created and appended in stone | |
| $wmi.SetLaunchSecurityDescriptor($descL) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello , I m trying to update the launch permission for my app , I used ur script getting error
The property 'dacl' cannot be found on this object. Verify that the property exists and can be set.
At D:\workdir\plantsimUnits\prod21jan\prod1\install.ps1:31 char:1
You cannot call a method on a null-valued expression.
At D:\workdir\prod1\install.ps1:34 char:1
any help please ?