Asked by:
Using PowerShell to Set WMI Permissions for FIM Self-Service Password Reset

General discussion
-
Summary Setting the WMI permissions is a bit tedious and prone to error, especially if you have multiple environments and both a primary and standby server to configure. This little script is provided as a way to simplify your deployment of FIM Self-Service Password Reset configuration tasks:
Note
See also the script for setting DCOM permissions for password reset.
PARAM( [string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"), $Computers = $(throw "`nMissing -Computers ('fimnode01','fimnode02')")) # USAGE: # # .\Set-FIM-WMI.ps1 -Principal "DOMAIN\<group or username>" -Computers ('<server1>', '<server2>',...) # # EXAMPLE: # .\Set-FIM-WMI.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers ('fimsyncprimary', 'fimsyncstandby') # # Inspired by Karl Mitschke's post: # http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/ Write-Host "Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset" Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)" Write-Host "`tBlog: http://www.identitychaos.com" function get-sid { PARAM ($DSIdentity) $ID = new-object System.Security.Principal.NTAccount($DSIdentity) return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString() } $sid = get-sid $Principal #WMI Permission - Enable Account, Remote Enable for This namespace and subnamespaces $WMISDDL = "A;CI;CCWP;;;$sid" #PartialMatch $WMISDDLPartialMatch = "A;\w*;\w+;;;$sid" foreach ($strcomputer in $computers) { write-host "`nWorking on $strcomputer..." $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity $binarySD = @($null) $result = $security.PsBase.InvokeMethod("GetSD",$binarySD) # Convert the current permissions to SDDL write-host "`tConverting current permissions to SDDL format..." $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper $CurrentWMISDDL = $converter.BinarySDToSDDL($binarySD[0]) # Build the new permissions write-host "`tBuilding the new permissions..." if (($CurrentWMISDDL.SDDL -match $WMISDDLPartialMatch) -and ($CurrentWMISDDL.SDDL -notmatch $WMISDDL)) { $NewWMISDDL = $CurrentWMISDDL.SDDL -replace $WMISDDLPartialMatch, $WMISDDL } else { $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")" } # Convert SDDL back to Binary write-host `t"Converting SDDL back into binary form..." $WMIbinarySD = $converter.SDDLToBinarySD($NewWMISDDL) $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD # Apply the changes write-host "`tApplying changes..." if ($CurrentWMISDDL.SDDL -match $WMISDDL) { write-host "`t`tCurrent WMI Permissions matches desired value." } else { $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) if($result='0'){write-host "`t`tApplied WMI Security complete."} } }
Go to the FIM ScriptBox
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com- Edited by Markus VilcinskasMicrosoft employee Sunday, June 13, 2010 5:20 PM typo
Sunday, June 13, 2010 12:09 AM
All replies
-
Awesome scripts Brad. Those steps always seemed overly complex, error-prone and scriptable.
Would be great if the product team could use these to make the installer friendlier and more robust. I already had a connect item logged for just that.
Monday, June 14, 2010 4:25 AM -
Thanks Brad. Very helpfull but you have an error on that line.
The second "=" must not be there.
$NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
Tuesday, January 11, 2011 7:26 PM -
Amazing sir - thank you very much for this. They both came in very handy yesterday during a very long session setting up a new install. -FredFriday, February 10, 2012 1:15 PM
-
Thank you, you just saved me a lot of time! I've done this in the lab by hand and it was a headache!Tuesday, October 9, 2012 10:20 PM
-
Hi Brad,
For your reference, I am getting the following error when executing this script with administrator permissions.
PS C:\Support\FIM> .\Set-FIM-WMI.ps1 -Principal "RFV\Grp_FIMSync_PasswordSet" -Computers ('MADCFIM01V') Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset Written by Brad Turner (bturner@ensynch.com) Blog: http://www.identitychaos.com Working on MADCFIM01V... Exception calling "InvokeMethod" with "2" argument(s): "Access denied " At C:\Support\FIM\Set-FIM-WMI.ps1:39 char:42 + $result = $security.PsBase.InvokeMethod <<<< ("GetSD",$binarySD) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException Converting current permissions to SDDL format... Building the new permissions... Converting SDDL back into binary form... Applying changes... Current WMI Permissions matches desired value. PS C:\Support\FIM>
Tuesday, November 13, 2012 11:11 PM