Using PowerShell to Set WMI Permissions for FIM Self-Service Password Reset RRS feed

  • General discussion

  •   Summary

    Setting the WMI permissions is a bit tedious and prone to error, especially if you have multiple environments and both a primary and standby server to configure. This little script is provided as a way to simplify your deployment of FIM Self-Service Password Reset configuration tasks:

      note Note

    See also the script for setting DCOM permissions for password reset.


    	[string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"), 
    	$Computers = $(throw "`nMissing -Computers ('fimnode01','fimnode02')"))	
    # USAGE: 
    # .\Set-FIM-WMI.ps1 -Principal "DOMAIN\<group or username>" -Computers ('<server1>', '<server2>',...) 
    # EXAMPLE: 
    # .\Set-FIM-WMI.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers ('fimsyncprimary', 'fimsyncstandby')
    # Inspired by Karl Mitschke's post:
    # http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/
    Write-Host "Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset"
    Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)"
    Write-Host "`tBlog: http://www.identitychaos.com"
    function get-sid
     PARAM ($DSIdentity)
     $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
     return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
    $sid = get-sid $Principal
    #WMI Permission - Enable Account, Remote Enable for This namespace and subnamespaces 
    $WMISDDL = "A;CI;CCWP;;;$sid" 
    $WMISDDLPartialMatch = "A;\w*;\w+;;;$sid"
    foreach ($strcomputer in $computers)
      write-host "`nWorking on $strcomputer..."
      $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
      $binarySD = @($null)
      $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
      # Convert the current permissions to SDDL 
      write-host "`tConverting current permissions to SDDL format..."
      $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
      $CurrentWMISDDL = $converter.BinarySDToSDDL($binarySD[0])
      # Build the new permissions 
      write-host "`tBuilding the new permissions..."
      if (($CurrentWMISDDL.SDDL -match $WMISDDLPartialMatch) -and ($CurrentWMISDDL.SDDL -notmatch $WMISDDL))
       $NewWMISDDL = $CurrentWMISDDL.SDDL -replace $WMISDDLPartialMatch, $WMISDDL
       $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
      # Convert SDDL back to Binary 
      write-host `t"Converting SDDL back into binary form..."
      $WMIbinarySD = $converter.SDDLToBinarySD($NewWMISDDL)
      $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
      # Apply the changes
      write-host "`tApplying changes..."
      if ($CurrentWMISDDL.SDDL -match $WMISDDL)
        write-host "`t`tCurrent WMI Permissions matches desired value."
       $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) 
       if($result='0'){write-host "`t`tApplied WMI Security complete."}


      Go to the FIM ScriptBox

    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Sunday, June 13, 2010 12:09 AM

All replies

  • Awesome scripts Brad. Those steps always seemed overly complex, error-prone and scriptable. 

    Would be great if the product team could use these to make the installer friendlier and more robust.  I already had a connect item logged for just that.

    Monday, June 14, 2010 4:25 AM
  • Thanks Brad. Very helpfull but you have an error on that line.

    The second "=" must not be there.

     $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
    Tuesday, January 11, 2011 7:26 PM
  • Amazing sir - thank you very much for this. They both came in very handy yesterday during a very long session setting up a new install. -Fred
    Friday, February 10, 2012 1:15 PM
  • Thank you, you just saved me a lot of time!  I've done this in the lab by hand and it was a headache!
    Tuesday, October 9, 2012 10:20 PM
  • Hi Brad,

    For your reference, I am getting the following error when executing this script with administrator permissions.  

    PS C:\Support\FIM> .\Set-FIM-WMI.ps1 -Principal "RFV\Grp_FIMSync_PasswordSet" -Computers ('MADCFIM01V')
    Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset
            Written by Brad Turner (bturner@ensynch.com)
            Blog: http://www.identitychaos.com
    Working on MADCFIM01V...
    Exception calling "InvokeMethod" with "2" argument(s): "Access denied "
    At C:\Support\FIM\Set-FIM-WMI.ps1:39 char:42
    +   $result = $security.PsBase.InvokeMethod <<<< ("GetSD",$binarySD)
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException
            Converting current permissions to SDDL format...
            Building the new permissions...
            Converting SDDL back into binary form...
            Applying changes...
                    Current WMI Permissions matches desired value.
    PS C:\Support\FIM>

    Tuesday, November 13, 2012 11:11 PM