hypercube
asked on
PowerShell or .bat code for DCOM settings
I have PowerShell code for setting up WMI on a workstation.
It lacks the necessary setting for DCOM.
Manually, we would do this:
(I already have code to switch DCOM from Connect to None and from None to Connect which involve registry edits done in the code - for an altogether different purpose. But this looks a bit different).
It lacks the necessary setting for DCOM.
Manually, we would do this:
DCOMCNFG.EXEHow can I get this into the PowerShell code?
Computers / My Computer / Properties / COM Security
Launch and Activate Permissions … add “name” with full privileges
(I already have code to switch DCOM from Connect to None and from None to Connect which involve registry edits done in the code - for an altogether different purpose. But this looks a bit different).
Take a look at this article: https://janbk.wordpress.com/2015/03/12/automating-dcom-acl-with-powershell/
ASKER
Adam Leinss: Thank you! I had seen that but the Messages Properties rather threw me off because I've never seen that dialog and wouldn't know how to make it appear from the GUI. So, I suppose one has to use a powershell command to make it appear.
But .. no matter.
What I need to do is as described a bit better as:
The link addresses the sort of thing I need to do but isn't specific enough for me right now to be able to translate it into this objective. It appears to assume just a little more experience than I have. For example, it requires that one specify an Object but I have no idea what Object I need, etc. I looked for a list and didn't find one. Heck, I don't even know what list to look for exactly!
But .. no matter.
What I need to do is as described a bit better as:
DCOMCNFG.EXESince a picture is worth a thousand words, here is what I need to do:
Computers / My Computer / Properties / COM Security/ Launch and Activate Permissions / Limits
… add [user name]
... Permissions for [user name] ALLOW all.
The link addresses the sort of thing I need to do but isn't specific enough for me right now to be able to translate it into this objective. It appears to assume just a little more experience than I have. For example, it requires that one specify an Object but I have no idea what Object I need, etc. I looked for a list and didn't find one. Heck, I don't even know what list to look for exactly!
So looking at this from the other direction: https://www.pdq.com/blog/remote-administration-quick-dcom-security-reset/
It appears that dialog box is just setting registry values for certain permissions in registry at
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Ole
There's a key there called DefaultLaunchPermission with a bunch of numbers. You can export this branch this to a REG file, should look something like this:
Then make your changes through the GUI and compare the values again. If they changed, then you may just have to change those values. Just export the whole key to a REG file, then call this in your Powershell script with something like:
Execute-Process -FilePath “C:\windows\system32\reg.e xe” -Parameters “import C:\somepath\dcomperm.reg” -PassThru
It appears that dialog box is just setting registry values for certain permissions in registry at
HKEY_LOCAL_MACHINE\SOFTWAR
There's a key there called DefaultLaunchPermission with a bunch of numbers. You can export this branch this to a REG file, should look something like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
Then make your changes through the GUI and compare the values again. If they changed, then you may just have to change those values. Just export the whole key to a REG file, then call this in your Powershell script with something like:
Execute-Process -FilePath “C:\windows\system32\reg.e
ASKER
Adam Leinss: Good idea but it concerns me just a bit because it appears to be a "mechanical" replacement. Isn't that the idea or did I misunderstand?
Here's what I see with no change except:
1) an added username
2) Local is Allowed / i.e. checked in the GUI.
Exported .reg before and after.
PS C:\users\fred\documents> compare-object -ReferenceObject $(Get-Content "DCOM
WMI username Allow.reg") -DifferenceObject $(Get-Content "DCOM_WMI fred Local A
low.reg")
InputObject
-----------
"MachineLaunchRestriction" =hex:01,00 ,04,80,ec, 00,00,00,f c,00,00,00 ,00,00,00, ...
14,00,00,00,02,00,d8,00,07 ,00,00,00, 00,00,14,0 0,0b,00,00 ,00,01,01, 00,00,00,\
00,00,01,00,00,00,00,00,00 ,18,00,0b, 00,00,00,0 1,02,00,00 ,00,00,00, 0f,02,00,\
00,00,01,00,00,00,00,00,38 ,00,0b,00, 00,00,01,0 a,00,00,00 ,00,00,0f, 03,00,00,\
00,00,04,00,00,a1,27,60,8f ,9a,bb,18, 34,63,b6,7 7,ff,9d,d5 ,b6,6c,e7, 32,1a,68,\
08,52,43,92,86,a6,1f,d8,98 ,17,1b,3b, 00,00,18,0 0,1f,00,00 ,00,01,02, 00,00,00,\
00,00,05,20,00,00,00,20,02 ,00,00,00, 00,18,00,1 f,00,00,00 ,01,02,00, 00,00,00,\
00,05,20,00,00,00,2f,02,00 ,00,00,00, 18,00,1f,0 0,00,00,01 ,02,00,00, 00,00,00,\
05,20,00,00,00,32,02,00,00 ,00,00,24, 00,03,00,0 0,00,01,05 ,00,00,00, 00,00,05,\
15,00,00,00,32,df,6d,d0,d0 ,4e,e6,fe, 1e,b7,55,5 8,e9,03,00 ,00,01,02, 00,00,00,\
00,00,05,20,00,00,00,20,02 ,00,00,01, 02,00,00,0 0,00,00,05 ,20,00,00, 00,20,02,\
00,00
"MachineLaunchRestriction" =hex:01,00 ,04,80,d0, 00,00,00,e 0,00,00,00 ,00,00,00, ...
14,00,00,00,02,00,bc,00,06 ,00,00,00, 00,00,18,0 0,1f,00,00 ,00,01,02, 00,00,00,\
00,00,05,20,00,00,00,20,02 ,00,00,00, 00,14,00,0 b,00,00,00 ,01,01,00, 00,00,00,\
00,01,00,00,00,00,00,00,18 ,00,1f,00, 00,00,01,0 2,00,00,00 ,00,00,05, 20,00,00,\
00,32,02,00,00,00,00,18,00 ,1f,00,00, 00,01,02,0 0,00,00,00 ,00,05,20, 00,00,00,\
2f,02,00,00,00,00,18,00,0b ,00,00,00, 01,02,00,0 0,00,00,00 ,0f,02,00, 00,00,01,\
00,00,00,00,00,38,00,0b,00 ,00,00,01, 0a,00,00,0 0,00,00,0f ,03,00,00, 00,00,04,\
00,00,a1,27,60,8f,9a,bb,18 ,34,63,b6, 77,ff,9d,d 5,b6,6c,e7 ,32,1a,68, 08,52,43,\
92,86,a6,1f,d8,98,17,1b,3b ,49,00,6e, 00,66,00,6 f,00,01,02 ,00,00,00, 00,00,05,\
20,00,00,00,20,02,00,00,01 ,02,00,00, 00,00,00,0 5,20,00,00 ,00,20,02, 00,00
While I can see where there are sections of equality, I've not found a handy tool to compare these and, even if I did, my concern is that not all computers are going to start out equal.
So, if replacement is intended, we'd be adding the name but to a different computer's configuration. That is, the target computer would end up with the reference computer's settings but including the new username and allow/deny settings.
It surely doesn't appear that there are values that can be selected and changed as the number of values differ by quite a bit.
I I knew how to parse the results into pieces then maybe an "add" would work but still iffy.
Unless there's a way to resolve that issue, I'd still be looking for a "make a setting" solution.
Here's what I see with no change except:
1) an added username
2) Local is Allowed / i.e. checked in the GUI.
Exported .reg before and after.
PS C:\users\fred\documents> compare-object -ReferenceObject $(Get-Content "DCOM
WMI username Allow.reg") -DifferenceObject $(Get-Content "DCOM_WMI fred Local A
low.reg")
InputObject
-----------
"MachineLaunchRestriction"
14,00,00,00,02,00,d8,00,07
00,00,01,00,00,00,00,00,00
00,00,01,00,00,00,00,00,38
00,00,04,00,00,a1,27,60,8f
08,52,43,92,86,a6,1f,d8,98
00,00,05,20,00,00,00,20,02
00,05,20,00,00,00,2f,02,00
05,20,00,00,00,32,02,00,00
15,00,00,00,32,df,6d,d0,d0
00,00,05,20,00,00,00,20,02
00,00
"MachineLaunchRestriction"
14,00,00,00,02,00,bc,00,06
00,00,05,20,00,00,00,20,02
00,01,00,00,00,00,00,00,18
00,32,02,00,00,00,00,18,00
2f,02,00,00,00,00,18,00,0b
00,00,00,00,00,38,00,0b,00
00,00,a1,27,60,8f,9a,bb,18
92,86,a6,1f,d8,98,17,1b,3b
20,00,00,00,20,02,00,00,01
While I can see where there are sections of equality, I've not found a handy tool to compare these and, even if I did, my concern is that not all computers are going to start out equal.
So, if replacement is intended, we'd be adding the name but to a different computer's configuration. That is, the target computer would end up with the reference computer's settings but including the new username and allow/deny settings.
It surely doesn't appear that there are values that can be selected and changed as the number of values differ by quite a bit.
I I knew how to parse the results into pieces then maybe an "add" would work but still iffy.
Unless there's a way to resolve that issue, I'd still be looking for a "make a setting" solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Adam Leinss: Thanks! How embarrassing. I must have been diverted back there a year ago.
Yes, that looks like it!
Yes, that looks like it!
ASKER
Thanks!!