locked
GetSecurityDescriptor from WMI with nonexisting user in result list RRS feed

  • Question

  • I have a script with which I can add users/groups to the security settings of a WMI class. This script run's fine except when a nonexisting user has access tot the WMI class

    The problem part of the script is the first line below

    $output = Invoke-WmiMethod -Namespace root/cimv2 -ComputerName computer1 -Path "__systemsecurity=@" -Name GetSecurityDescriptor
    $acl = $output.Descriptor
    $acl.DACL

    When I run this script while a nonexisting user has access to the WMI class, I get an "Unexecpted Error". When I remove this user (S-1-5-21-xxxxxxxxxxxxx) through "Computer Manager", "WMI Control", "Properties", "Security", the script runs fine.

    Is there a method to remove nonexisting users from WMI Classes, or to skip this user.

    The error I get is:

    Invoke-WmiMethod : Unexpected error
    At line:1 char:18
    +        $output = Invoke-WmiMethod -Namespace root -ComputerName computer1 -Path  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
        + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod

    Wednesday, October 3, 2018 11:46 AM

All replies

  • Hi Marco,

    Thanks for your question.

    Your script just use GetSecurityDescriptor method of the __SystemSecurity class. It can show the user's DACL.

    When you use the nonexisting user, you will get error.

    Try to add -ErrorAction SilentlyContinue to your command. It can help you skip error.

    Best Regards,

    Lee


    Just do it.

    Friday, October 5, 2018 6:18 AM
  • Lee,

    If I add -ErrorAction SilentlyContinue to the "Invoke-WmiMethod" command, I get no result at all. I want to see the information of the existing users that have access tot the WMI class.

    $output = Invoke-WmiMethod -Namespace root/cimv2  -Path "__systemsecurity=@" -Name GetSecurityDescriptor -ErrorAction SilentlyContinue
    $acl = $output.Descriptor
    $acl.DACL


    • Edited by Marco234 Friday, October 5, 2018 1:52 PM
    Friday, October 5, 2018 1:51 PM
  • If the security descriptor is corrupted than WMI cannot help you.  You will need to do a repair on the WMI repository.


    \_(ツ)_/

    Friday, October 5, 2018 2:05 PM
  • Hmm, actually, rebuilding your WMI repository and setting new access rights to CIMV2 namespace might be fastest way :)
    Friday, October 5, 2018 2:20 PM
  • Friday, October 5, 2018 2:22 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    Best Regards,

    Lee


    Just do it.

    Friday, October 26, 2018 8:40 AM
  • Hi,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    Best Regards,

    Lee


    Just do it.

    Monday, November 5, 2018 9:20 AM