none
Powershell: How to add user on a COM Security Access Permission? RRS feed

  • Question

  • Hey guys,

    We want to add a domain service account in the DCOM Security both as Access Permission and Launch and Activation Permission. Is this possible through Powershell? Our plan is to use the script and push it on clients as login script, I know there are other ways to do this but we are having technical conflicts and issue through other means except for this way. I hope someone can shed a light on me with this issue.

    Thank you,

    Wednesday, February 3, 2016 11:18 AM

Answers

  • Hello d4ry1

    Maybe to start of you could do read the following

    http://stackoverflow.com/questions/11363342/change-dcom-config-security-settings-using-powershell

    I think this is what you're searching.

    Cheers Luca

    • Marked as answer by d4ry1 Thursday, February 4, 2016 2:59 PM
    Wednesday, February 3, 2016 11:44 AM

All replies

  • Hello d4ry1

    Maybe to start of you could do read the following

    http://stackoverflow.com/questions/11363342/change-dcom-config-security-settings-using-powershell

    I think this is what you're searching.

    Cheers Luca

    • Marked as answer by d4ry1 Thursday, February 4, 2016 2:59 PM
    Wednesday, February 3, 2016 11:44 AM
  • $Dcom = Get-WmiObject -Class Win32_DcomApplicationSetting

    I think this methods would be the ones to use.

    SetLaunchSecurityDescriptor()

    SetAccessSecurityDescriptor()

    Cheers

    Wednesday, February 3, 2016 11:47 AM
  • Thanks for the link, actually I'm trying to figure out the code block of the link you'd just provided for some time now. I was hoping that someone here have a more simple approach. I appreciate the research bro.
    Wednesday, February 3, 2016 12:00 PM
  • I guess the problem is that you have to mess around with secuirty descriptors (SDDL) to set this permissions on those objects, since there is (to my knowledge) no other way to access the secuirty-subsystem.

    I'll take some time to take a look at this or do some coding.

    Cheers


    • Edited by PsLumu Wednesday, February 3, 2016 12:14 PM
    Wednesday, February 3, 2016 12:12 PM
  • This should be done with Group Policy.  It is the normal and BP method.

    \_(ツ)_/

    Wednesday, February 3, 2016 12:26 PM
  • That's true,  but we currently can't do it because of some internal conflicts that I can't discuss. Our only way right now is to use powershell scripting and push it as a login script.
    Wednesday, February 3, 2016 12:35 PM
  • Maybe this is something to look at

    https://gallery.technet.microsoft.com/Set-DCOM-ACL-with-650fa48d

    cheers

    Wednesday, February 3, 2016 1:32 PM
  • That's true,  but we currently can't do it because of some internal conflicts that I can't discuss. Our only way right now is to use powershell scripting and push it as a login script.

    The point is that it cannot be done in a login script.  It can only be done via explicit configuration or by using GP.

    Start by looking at how the security for DCOM os maintained and why. In Vista and later there is s group on each system that sets remote access to WMI and it is managed by GP.

    If a network is secured you will be blocked by GP from changing this with any other tool or method.  You cannot hack DCOM or WMU in a modern secure network.


    \_(ツ)_/

    Wednesday, February 3, 2016 1:32 PM
  • Maybe this is something to look at

    https://gallery.technet.microsoft.com/Set-DCOM-ACL-with-650fa48d

    cheers

    Old and will not work if GP has security set.  In all cases it will not work in a login script.

    DCOM security in a domain is almost always enforced by GP,  You cannot alter the settings as GP will just set them back in a few minutes.

    You should work with your network admins to manage this securely.


    \_(ツ)_/

    Wednesday, February 3, 2016 1:41 PM
  • No offense man but if you don't have any solution just move on. You're way off point in what I'm seeking for. It doesn't matter if the GP will just revert or block the changes, we can disable that behavior of the GP on the time frame of the implementation of the script, why would you even bother thinking about that, it's common sense, that's how GP works. Cheers,
    Wednesday, February 3, 2016 2:19 PM
  • Thanks man I'll try this and get back here if something came up.
    Wednesday, February 3, 2016 2:20 PM
  • No offense man but if you don't have any solution just move on. You're way off point in what I'm seeking for. It doesn't matter if the GP will just revert or block the changes, we can disable that behavior of the GP on the time frame of the implementation of the script, why would you even bother thinking about that, it's common sense, that's how GP works. Cheers,

    Point is a login script will not work.  You need to think through why this is so.

    I think you need to do a bit of homework about this before getting annoyed and shooting the messenger.


    \_(ツ)_/

    Wednesday, February 3, 2016 2:24 PM
  • In my last post you also said it won't work yet it did. So there's that, maybe it's just you again.^_^.
    Wednesday, February 3, 2016 2:27 PM
  • I think the only one shooting the messenger and getting annoyed is you Jrv. :)
    • Edited by PsLumu Wednesday, February 3, 2016 2:29 PM
    Wednesday, February 3, 2016 2:28 PM
  • In my last post you also said it won't work yet it did. So there's that, maybe it's just you again.^_^.

    So you are running on XP and every user is an admin.

    Don't try jerking my chain. 

    Ok be an nit. You are right - everything you say is perfect and you know all of the answers.


    \_(ツ)_/

    Wednesday, February 3, 2016 2:39 PM
  • Hello d4ry1

    Maybe to start of you could do read the following

    http://stackoverflow.com/questions/11363342/change-dcom-config-security-settings-using-powershell

    I think this is what you're searching.

    Cheers Luca

    This worked, although I also found that instead of directly adding user to the DCOM (dcomperm also worked though clients need to have .net frame work 4) another way is to add the service account we're trying to add to the local admin group. Which is easier because I can be done in powershell or even through batch without the prerequisite of .net framework 4.

    Thanks again PsLumu

    Thursday, February 4, 2016 3:04 PM