none
Powershell - Revoking DCOM permissions - Need Help RRS feed

  • Question

  • Hello,

    I'm currently working a project at work that requires me to automate a few manual steps across many systems.  I'm moderately versed in Powershell and I understand how to add users to DCOM object permissions, however I have not figured out how to revoke a user's permission from a DCOM object.

    Here's how I add permissions for a user:

    $wmi = Get-WmiObject -Class Win32_DCOMApplicationSetting -Filter 'Caption="WHATEVER"' -EnableAllPrivileges
    $descL = $wmi.GetLaunchSecurityDescriptor().descriptor
    $trusteeObj = ([wmiclass]'Win32_Trustee').psbase.CreateInstance()
    $trusteeObj.Domain = "COMPUTERNAME"
    $trusteeObj.Name = "USERNAME"
    $ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
    $ace.AccessMask = 11
    $ace.trustee = $trusteeObj
    $descL.DACL += [System.Management.ManagementBaseObject]$ace
    $wmi.SetLaunchSecurityDescriptor($descL)

    How do I go about removing a user's permissions from a DCOM object?

    Wednesday, October 4, 2017 6:38 PM

All replies

  • You have to get the current DACL and remove the setting from the collection then set the DACL back.

    $dacl = $app.GetAccessSecurityDescriptor().Descriptor.DACL
    $dacl.Remove($ace)

    Filter the DACL by Trustee to find the ACE to remove.


    \_(ツ)_/

    Wednesday, October 4, 2017 7:34 PM
  • You have to get the current DACL and remove the setting from the collection then set the DACL back.

    $dacl = $app.GetAccessSecurityDescriptor().Descriptor.DACL
    $dacl.Remove($ace)

    Filter the DACL by Trustee to find the ACE to remove.


    \_(ツ)_/

    So I wasn't sure what the $app in your code came from, so I assumed you meant $wmi to match my code and ran this set:

    $wmi = Get-WmiObject -Class Win32_DCOMApplicationSetting -Filter 'Caption="MY OBJECT" -EnableAllPrivileges
    $descL = $wmi.GetLaunchSecurityDescriptor().descriptor
    $trusteeObj = ([wmiclass]'Win32_Trustee').psbase.CreateInstance()
    $trusteeObj.Domain = "COMPUTERNAME"
    $trusteeObj.Name = "ACCOUNT"
    $ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
    $ace.AccessMask = 32
    $ace.trustee = $trusteeObj
    $dacl = $wmi.GetAccessSecurityDescriptor().Descriptor.DACL
    $dacl.Remove($ace)

    Powershell returns the following error:

    Method invocation failed because [System.Management.ManagementBaseObject[]] doesn't contain a method named 'Remove'.

    If I pipe the $dacl to a get-member, there are no methods available.

    So apparently I assumed incorrectly or this method to remove will not work for me.

    Any ideas?

    Thursday, October 5, 2017 2:05 PM
  • A WMI DACL consists of three entries.  They cannot be removed.  They can onle be edited.

    PS D:\scripts> $dacl|%{$_.Trustee.Name}
    SYSTEM
    Administrators
    Users

    Edit the ones that you want to change  then set the SD with the changed settings.

    Why do you think you need to remove something?

    $caption = 'Windows Update Agent'
    $appsettings = Get-WmiObject Win32_DCOMApplicationSetting -Filter "Caption='$caption'" -EnableAllPrivileges
    $dacl = $appsettings.GetLaunchSecurityDescriptor().descriptor.DACL
    $dacl|%{$_.Trustee.Name}
    


    \_(ツ)_/


    • Edited by jrv Thursday, October 5, 2017 5:00 PM
    Thursday, October 5, 2017 4:58 PM
  • If we try to remove an ACE we get this:

    PS D:\scripts> $dacl.RemoveAt(1)
    Exception calling "RemoveAt" with "1" argument(s): "Collection was of a fixed size."
    At line:1 char:1
    + $dacl.RemoveAt(1)
    + ~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : NotSupportedException

    This is because the SD is locked and only the AccessMask is editable.


    \_(ツ)_/

    Thursday, October 5, 2017 5:03 PM
  • I have a DCOM object in which a specific service account has Local Launch and Local Activation rights.

    This OS service account is no longer needed and will be deleted.  We were directed to remove permissions from this object for this specific account.


    Thursday, October 5, 2017 5:03 PM
  • Have you listed the trustees for your object.  How do you know they are in the DACL?


    \_(ツ)_/

    Thursday, October 5, 2017 7:58 PM