none
Launch and Activation Permissions in DCOM Config via powershell

    Question

  • Is there any possibility to set permissions under


    Win2008 Server -> Administrative Tools -> Component Services -> Computer -> MyComputer -> DCOM Config -> <AppName> -> Security Tab -> Lanch and activation permissions

    via Powershell? Thanks in advance for any suggestions

    Thursday, April 26, 2012 1:24 PM

Answers

All replies

  • Yes.

    SubInAckl can set perms on objects by GUID I believe.

    I have not been able to deterimine if ComMgr can also do this.


    ¯\_(ツ)_/¯

    Thursday, April 26, 2012 1:40 PM
  • Download SubInAcl.exe:

    http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=23510


    Richard Mueller - MVP Directory Services

    Sunday, April 29, 2012 2:26 AM
    Moderator
  • See my post: Script remote DCOM / WMI access for a non admin - although it's not an exact match, you should be able to figure it out from there.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer



    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

    Tuesday, May 01, 2012 1:57 PM
  • Don't look now but ther eis an even easier way to do this and has been for a long time (since XP SP2 I believe)

    Group Policy object: Computer Configuration \Windows Settings \Local Policies \Security Options
    "DCOM:Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax"
    (Existence of this policy, overrides, values in MachineLaunch Restriction, above)

    Group Policy object: Computer Configuration \Windows Settings \Local Policies \Security Options
    "DCOM:Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax"
    (Existence of this policy, overrides, values in MachineAccess Restriction, above)

    Karl: Excellent script deming how to update security binaries in the registry.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, May 01, 2012 2:22 PM
    Tuesday, May 01, 2012 2:21 PM
  • A GPO was not an option in our case....

    Thanks for the compliment. I am doing more work in that vein now, and hope to have an updated post soon.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer



    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

    Tuesday, May 01, 2012 4:07 PM
  • A GPO was not an option in our case....

    Thanks for the compliment. I am doing more work in that vein now, and hope to have an updated post soon.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer



    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

    Good.  I recommend to anyoone who can the use GP as it is more secure and easier to change when needed.

    MOst admins that I have worked with over the years did not know anout DCOM GP settings.  Even MS supoprt doesn't seem to knwo. They just say that it coan only be changed manually or programatically.  I don't think there is a KB on this.


    ¯\_(ツ)_/¯

    Tuesday, May 01, 2012 4:22 PM