Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

PowerShell or .bat code for DCOM settings

I have PowerShell code for setting up WMI on a workstation.
It lacks the necessary setting for DCOM.
Manually, we would do this:
DCOMCNFG.EXE
      Computers / My Computer / Properties / COM Security
      Launch and Activate Permissions … add “name” with full privileges

How can I get this into the PowerShell code?

(I already have code to switch DCOM from Connect to None and from None to Connect which involve registry edits done in the code - for an altogether different purpose.  But this looks a bit different).
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image

Avatar of hypercube

ASKER

Adam Leinss:  Thank you!  I had seen that but the Messages Properties rather threw me off because I've never seen that dialog and wouldn't know how to make it appear from the GUI.  So, I suppose one has to use a powershell command to make it appear.
But .. no matter.
What I need to do is as described a bit better as:
DCOMCNFG.EXE
Computers / My Computer / Properties / COM Security/ Launch and Activate Permissions / Limits
… add [user name]
... Permissions for [user name] ALLOW all.  

Since a picture is worth a thousand words, here is what I need to do:
User generated imageThe link addresses the sort of thing I need to do but isn't specific enough for me right now to be able to translate it into this objective.  It appears to assume just a little more experience than I have.  For example, it requires that one specify an Object but I have no idea what Object I need, etc.  I looked for a list and didn't find one.  Heck, I don't even know what list to look for exactly!
So looking at this from the other direction: https://www.pdq.com/blog/remote-administration-quick-dcom-security-reset/

It appears that dialog box is just setting registry values for certain permissions in registry at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

There's a key there called DefaultLaunchPermission with a bunch of numbers.   You can export this branch this to a REG file, should look something like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00

Open in new window


Then make your changes through the GUI and compare the values again.  If they changed, then you may just have to change those values.  Just export the whole key to a REG file, then call this in your Powershell script with something like:

Execute-Process -FilePath “C:\windows\system32\reg.exe” -Parameters “import C:\somepath\dcomperm.reg” -PassThru
Adam Leinss: Good idea but it concerns me just a bit because it appears to be a "mechanical" replacement.  Isn't that the idea or did I misunderstand?

Here's what I see with no change except:
1) an added username
2) Local is Allowed / i.e. checked in the GUI.
Exported .reg before and after.

PS C:\users\fred\documents> compare-object -ReferenceObject $(Get-Content "DCOM
WMI username Allow.reg") -DifferenceObject $(Get-Content "DCOM_WMI fred Local A
low.reg")

InputObject
-----------
"MachineLaunchRestriction"=hex:01,00,04,80,ec,00,00,00,fc,00,00,00,00,00,00,...
  14,00,00,00,02,00,d8,00,07,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,\
  00,00,01,00,00,00,00,00,00,18,00,0b,00,00,00,01,02,00,00,00,00,00,0f,02,00,\
  00,00,01,00,00,00,00,00,38,00,0b,00,00,00,01,0a,00,00,00,00,00,0f,03,00,00,\
  00,00,04,00,00,a1,27,60,8f,9a,bb,18,34,63,b6,77,ff,9d,d5,b6,6c,e7,32,1a,68,\
  08,52,43,92,86,a6,1f,d8,98,17,1b,3b,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,2f,02,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,32,02,00,00,00,00,24,00,03,00,00,00,01,05,00,00,00,00,00,05,\
  15,00,00,00,32,df,6d,d0,d0,4e,e6,fe,1e,b7,55,58,e9,03,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,\
  00,00
"MachineLaunchRestriction"=hex:01,00,04,80,d0,00,00,00,e0,00,00,00,00,00,00,...
  14,00,00,00,02,00,bc,00,06,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,32,02,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  2f,02,00,00,00,00,18,00,0b,00,00,00,01,02,00,00,00,00,00,0f,02,00,00,00,01,\
  00,00,00,00,00,38,00,0b,00,00,00,01,0a,00,00,00,00,00,0f,03,00,00,00,00,04,\
  00,00,a1,27,60,8f,9a,bb,18,34,63,b6,77,ff,9d,d5,b6,6c,e7,32,1a,68,08,52,43,\
  92,86,a6,1f,d8,98,17,1b,3b,49,00,6e,00,66,00,6f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00

While I can see where there are sections of equality, I've not found a handy tool to compare these and, even if I did, my concern is that not all computers are going to start out equal.
So, if replacement is intended, we'd be adding the name but to a different computer's configuration.  That is, the target computer would end up with the reference computer's settings but including the new username and allow/deny settings.
It surely doesn't appear that there are values that can be selected and changed as the number of values differ by quite a bit.
I I knew how to parse the results into pieces then maybe an "add" would work but still iffy.

Unless there's a way to resolve that issue, I'd still be looking for a "make a setting" solution.
ASKER CERTIFIED SOLUTION
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Adam Leinss:  Thanks!  How embarrassing.  I must have been diverted back there a year ago.

Yes, that looks like it!
Thanks!!