Sign in
 

none
Using PowerShell to Set WMI Permissions for FIM Self-Service Password Reset

 , 
 > 

    General discussion

  • Discussion
    Sign in to vote
    6
    Sign in to vote
      Summary
     

    Setting the WMI permissions is a bit tedious and prone to error, especially if you have multiple environments and both a primary and standby server to configure. This little script is provided as a way to simplify your deployment of FIM Self-Service Password Reset configuration tasks:

      note Note
     

    See also the script for setting DCOM permissions for password reset.

     

    PARAM(
	[string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"), 
	$Computers = $(throw "`nMissing -Computers ('fimnode01','fimnode02')"))	

# USAGE: 
# 
# .\Set-FIM-WMI.ps1 -Principal "DOMAIN\<group or username>" -Computers ('<server1>', '<server2>',...) 
# 
# EXAMPLE: 
# .\Set-FIM-WMI.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers ('fimsyncprimary', 'fimsyncstandby')
#
# Inspired by Karl Mitschke's post:
# http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Write-Host "Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset"
Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)"
Write-Host "`tBlog: http://www.identitychaos.com"

function get-sid
{
 PARAM ($DSIdentity)
 $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
 return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $Principal

#WMI Permission - Enable Account, Remote Enable for This namespace and subnamespaces 
$WMISDDL = "A;CI;CCWP;;;$sid" 

#PartialMatch
$WMISDDLPartialMatch = "A;\w*;\w+;;;$sid"

foreach ($strcomputer in $computers)
{
  write-host "`nWorking on $strcomputer..."
  $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
  $binarySD = @($null)
  $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)

  # Convert the current permissions to SDDL 
  write-host "`tConverting current permissions to SDDL format..."
  $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
  $CurrentWMISDDL = $converter.BinarySDToSDDL($binarySD[0])

  # Build the new permissions 
  write-host "`tBuilding the new permissions..."
  if (($CurrentWMISDDL.SDDL -match $WMISDDLPartialMatch) -and ($CurrentWMISDDL.SDDL -notmatch $WMISDDL))
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL -replace $WMISDDLPartialMatch, $WMISDDL
  }
  else
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
  }

  # Convert SDDL back to Binary 
  write-host `t"Converting SDDL back into binary form..."
  $WMIbinarySD = $converter.SDDLToBinarySD($NewWMISDDL)
  $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
 
  # Apply the changes
  write-host "`tApplying changes..."
  if ($CurrentWMISDDL.SDDL -match $WMISDDL)
  {
    write-host "`t`tCurrent WMI Permissions matches desired value."
  }
  else
  {
   $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) 
   if($result='0'){write-host "`t`tApplied WMI Security complete."}
  }
}

     

      Go to the FIM ScriptBox
    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Sunday, June 13, 2010 12:09 AM
    |

All replies

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Awesome scripts Brad. Those steps always seemed overly complex, error-prone and scriptable. 

    Would be great if the product team could use these to make the installer friendlier and more robust.  I already had a connect item logged for just that.

    Monday, June 14, 2010 4:25 AM
    |
  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Thanks Brad. Very helpfull but you have an error on that line.

    The second "=" must not be there.

     $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
    Tuesday, January 11, 2011 7:26 PM
    |
  • Discussion
    Sign in to vote
    0
    Sign in to vote
    Amazing sir - thank you very much for this. They both came in very handy yesterday during a very long session setting up a new install. -Fred
    Friday, February 10, 2012 1:15 PM
    |
  • Discussion
    Sign in to vote
    0
    Sign in to vote
    Thank you, you just saved me a lot of time!  I've done this in the lab by hand and it was a headache!
    Tuesday, October 9, 2012 10:20 PM
    |
  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Hi Brad,

    For your reference, I am getting the following error when executing this script with administrator permissions.  

    PS C:\Support\FIM> .\Set-FIM-WMI.ps1 -Principal "RFV\Grp_FIMSync_PasswordSet" -Computers ('MADCFIM01V')
Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset
        Written by Brad Turner (bturner@ensynch.com)
        Blog: http://www.identitychaos.com

Working on MADCFIM01V...
Exception calling "InvokeMethod" with "2" argument(s): "Access denied "
At C:\Support\FIM\Set-FIM-WMI.ps1:39 char:42
+   $result = $security.PsBase.InvokeMethod <<<< ("GetSD",$binarySD)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

        Converting current permissions to SDDL format...
        Building the new permissions...
        Converting SDDL back into binary form...
        Applying changes...
                Current WMI Permissions matches desired value.
PS C:\Support\FIM>

    Tuesday, November 13, 2012 11:11 PM
    |