Link to home
Create AccountLog in
Avatar of H D
H D

asked on

push WMI privilege using GPO

I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing  WMI privilege manually  (ROOT>CIMV2>Security>MicrofostVolumeEncryption) and adding manually the specif account and giving him  "execute method" privilege allow the user to run the encryption without possessing admin rights.

I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method  without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
Avatar of McKnife
McKnife
Flag of Germany image

That is hard to follow.

By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.

Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):
gpresult /h %temp%\results.html

Open in new window

Avatar of H D
H D

ASKER

Hello,
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.
Allowing them to use other type of encryption is not an option.
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.
Thanks.
Ah, I see, SID protectors need admin privs and you have found out that WMI namespace rights suffice. Where did you read that?
Avatar of H D

ASKER

In stackoverflow and it works. You have to give the user the "method execute" right on the node ROOT>CIMV2>Security>MicrofostVolumeEncryption  to allow him to run encryption with manage-bde.exe .
My problem is how to script this operation.
It works here as soon as I execute the vbs-script as system account.
Avatar of H D

ASKER

I dont want to give the users the local admin password . That's the problem.
They don't need it. As I said, it works here. I used the process you outlined to create a VBS script that sets the ACL correctly and afterwards, the user may add a SID protector on his BL encrypted usb stick without being admin.

As said, you need to execute the VBscript as system account. That could be done in a startup script.
Avatar of H D

ASKER

That's the point. I executed my script with the exported array of parameter but no change is done .
I tested it on Windows 10 pro.
Any ideas please?
Hm, when will you understand that you write "Both operations are done with local admin account" while I advise you, to use the system account? For me, it does not work as local admin, either, and it returns "Privilege not held".
To use the system account, use psexec to start a command shell as system like this (launch the following on an elevated command prompt):
psexec -s -i cmd
Then, launch your vbs script.
Another thing, I noticed a typo, you should check your script as you wrote "microfost"
Avatar of H D

ASKER

I got the same problem with the system account.
No error and the same configuration is kept.
Ok, show me your scripts, both the one creating the output that you paste and the script that the system account executes.
Avatar of H D

ASKER

This is the command that I'm using  to "dump" the rights:
wmic /namespace:\\root\CIMV2 /output:sd.txt path __systemsecurity call getSD

Open in new window

This is the script :
strSD =array(1,0,4,129,....,0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2")


set security = namespace.get("__systemsecurity=@")


nStatus = security.setsd(strSD)

Open in new window

I tested both as local admin and as SYSTEM.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of H D

ASKER

Thank you :)
You are welcome.

And by the way, this method might prove useful someday, I did not know it before.