Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
push WMI privilege using GPO
I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing WMI privilege manually (ROOT>CIMV2>Security>Micro
I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing WMI privilege manually (ROOT>CIMV2>Security>Micro
I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
That is hard to follow.
By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.
Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):
By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.
Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):
gpresult /h %temp%\results.html
Hello,
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.
Allowing them to use other type of encryption is not an option.
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.
Thanks.
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.
Allowing them to use other type of encryption is not an option.
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.
Thanks.
Ah, I see, SID protectors need admin privs and you have found out that WMI namespace rights suffice. Where did you read that?
In stackoverflow and it works. You have to give the user the "method execute" right on the node ROOT>CIMV2>Security>Microf
My problem is how to script this operation.
My problem is how to script this operation.
They don't need it. As I said, it works here. I used the process you outlined to create a VBS script that sets the ACL correctly and afterwards, the user may add a SID protector on his BL encrypted usb stick without being admin.
As said, you need to execute the VBscript as system account. That could be done in a startup script.
As said, you need to execute the VBscript as system account. That could be done in a startup script.
That's the point. I executed my script with the exported array of parameter but no change is done .
I tested it on Windows 10 pro.
Any ideas please?
I tested it on Windows 10 pro.
Any ideas please?
Hm, when will you understand that you write "Both operations are done with local admin account" while I advise you, to use the system account? For me, it does not work as local admin, either, and it returns "Privilege not held".
To use the system account, use psexec to start a command shell as system like this (launch the following on an elevated command prompt):
psexec -s -i cmd
Then, launch your vbs script.
psexec -s -i cmd
Then, launch your vbs script.
Ok, show me your scripts, both the one creating the output that you paste and the script that the system account executes.
This is the command that I'm using to "dump" the rights:
wmic /namespace:\\root\CIMV2 /output:sd.txt path __systemsecurity call getSD
strSD =array(1,0,4,129,....,0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
No, to create it, take
wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption /output:sd.txt path __systemsecurity call getSD
strSD = array(1,0,4,129,148,0,0,0,164,0,0,0,0,0,0,0,20,0,0,0,2,0,128,0,5,0,0,0,0,0,36,0,1,0,0,0,1,5,0,0,0,0,0,5,21,0,0,0,216,37,44,114,11,95,44,7,34,199,223,9,83,4,0,0,0,18,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
Premium Content
You need an Expert Office subscription to comment.Start Free Trial