<div>
That is hard to follow.<br />
<br />
By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.<br />
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.<br />
<br />
Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):<br />

<pre><code class="code-1 nolinks" id="code-20-42704094-1"><span>gpresult /h %temp%\results.html</span>
</code></pre>
</div>


<div>
Hello,<br />
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.<br />
Allowing them to use other type of encryption is not an option.<br />
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.<br />
Thanks.
</div>


<div>
Ah, I see, SID protectors need admin privs and you have found out that WMI namespace rights suffice. Where did you read that?
</div>


<div>
In stackoverflow and it works. You have to give the user the &quot;method execute&quot; right on the node ROOT&gt;CIMV2&gt;Security&gt;Microf<wbr />ostVolumeE<wbr />ncryption &nbsp;to allow him to run encryption with manage-bde.exe .<br />
My problem is how to script this operation.
</div>


<div>
It works here as soon as I execute the vbs-script as system account.
</div>


<div>
I dont want to give the users the local admin password . That's the problem.
</div>


<div>
They don't need it. As I said, it works here. I used the process you outlined to create a VBS script that sets the ACL correctly and afterwards, the user may add a SID protector on his BL encrypted usb stick without being admin.<br />
<br />
As said, you need to execute the VBscript as system account. That could be done in a startup script.
</div>


<div>
That's the point. I executed my script with the exported array of parameter but no change is done .<br />
I tested it on Windows 10 pro.<br />
Any ideas please?
</div>


<div>
Hm, when will you understand that you write &quot;Both operations are done with local admin account&quot; while I advise you, to use the system account? For me, it does not work as local admin, either, and it returns &quot;Privilege not held&quot;.
</div>


<div>
To use the system account, use psexec to start a command shell as system like this (launch the following on an elevated command prompt):<br />
psexec -s -i cmd<br />
Then, launch your vbs script.
</div>


<div>
Another thing, I noticed a typo, you should check your script as you wrote &quot;microfost&quot;
</div>


<div>
I got the same problem with the system account.<br />
No error and the same configuration is kept.
</div>


<div>
Ok, show me your scripts, both the one creating the output that you paste and the script that the system account executes.
</div>


<div>
This is the command that I'm using &nbsp;to &quot;dump&quot; the rights:<br />

<pre><code class="code-1 nolinks" id="code-20-42704295-1"><span>wmic /namespace:\\root\CIMV2 /output:sd.txt path __systemsecurity call getSD</span>
</code></pre>
This is the script : <br />

<pre><code class="code-1 nolinks" id="code-20-42704295-2"><span>strSD =array(1,0,4,129,....,0)</span>
<span></span>
<span>set namespace = createobject(&quot;wbemscripting.swbemlocator&quot;).connectserver(,&quot;root\CIMV2&quot;)</span>
<span></span>
<span></span>
<span>set security = namespace.get(&quot;__systemsecurity=@&quot;)</span>
<span></span>
<span></span>
<span>nStatus = security.setsd(strSD)</span>
</code></pre>
I tested both as local admin and as SYSTEM.
</div>


<div>
You are welcome.<br />
<br />
And by the way, this method might prove useful someday, I did not know it before.
</div>


<div>
<div class="content wysiwyg-content">
I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.<br />
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.<br />
The users don't have admin privlege on their machines.<br />
I found that changing &nbsp;WMI privilege manually &nbsp;(ROOT&gt;CIMV2&gt;Security&gt;Micro<wbr />fostVolume<wbr />Encryption<wbr />) and adding manually the specif account and giving him &nbsp;&quot;execute method&quot; privilege allow the user to run the encryption without possessing admin rights.<br />
<br />
I'm trying to create a script that I'm going to push via GPO to apply the needed changes.<br />
I tried using this <a href="https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/" rel="ugc nofollow">method</a> &nbsp;without success.<br />
I can dump the privlege. Applying them give no errors but no changes are done.<br />
Both operations are done with local admin account.<br />
Thanks.
</div>
</div>


I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing  WMI privilege manually  (ROOT>CIMV2>Security>MicrofostVolumeEncryption) and adding manually the specif account and giving him  "execute method" privilege allow the user to run the encryption without possessing admin rights.

I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method (https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/)  without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.

push WMI privilege using GPO

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Encryption

WMIC

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

A scripting language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. A scripting language can be viewed as a domain-specific language for a particular environment; in the case of scripting an application, this is also known as an extension language.