none
Set wmi permission 'Execute methods' via powershell for remote computers RRS feed

  • Question

  • I need to add this code to have permission to Execute Methods(MethodExecute).

    function get-sid
    {Param ($DSIdentity)
    $ID = new-object System.Security.Principal.NTAccount($DSIdentity)return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()}
    $sid = get-sid $args[0]
    $SDDL = "A;CI;CCWP;;;$sid"
    $DCOMSDDL = "A;;CCDCRP;;;$sid
    "ForEach ($COMPUTER in (Get-ADComputer -Filter '*' | Select -ExpandProperty Name)){if(!(Test-Connection -Cn $COMPUTER -Quiet)) {write-host "cannot reach $computer" -f red} 
    else {    $Reg = [WMIClass]"\\$COMPUTER\root\default:StdRegProv"    
    $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue    
    $security = Get-WmiObject -ComputerName $COMPUTER -Namespace root -Class __SystemSecurity    
    $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper    
    $binarySD = @($null)    $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)    $outsddl = $converter.BinarySDToSDDL($binarySD[0])    $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)    
    $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"    $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"   $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD    $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD    $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)    
    $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)    write-host "complete" -f green}}

    Monday, September 9, 2019 9:12 AM

All replies

  • You need to make changes to the remote WMI system to allow users to access WMI. By default only admins can do this.


    \_(ツ)_/

    Monday, September 9, 2019 5:15 PM
  • My user is in a group Remote Management Users and just add permission to execute methods to him or this group.
    Thursday, September 12, 2019 6:51 AM
  • My user is in a group Remote Management Users and just add permission to execute methods to him or this group.
    That will not give them permission on protected resources.

    \_(ツ)_/

    Thursday, September 12, 2019 7:07 AM