We help IT Professionals succeed at work.

Deploying DCOM settings with script or GPO.

Fred Marshall
on
I have a domain where workstations require DCOMCNFG to make DCOM settings for SIEM monitoring and for a production app's.
It's not too tough to make the settings manually but it's still time-consuming and tedious.
Having a GPO or script to set them would likely be very useful.
IF there were a script, I'd still prefer to deploy via GPO because of Windows updates making changes otherwise.


To be specific, using DCOMCNFG, we need to open My Computer properties and
1) set DOM Security / Access Permissions /Edit Limits by adding adding missing Permissions for Group or User Names and adding names and permissions if missing and
2) to do the same for DOM Security / Launch and Activation Permissions /Edit Limits
And going down the tree hierarchy to Console Root \ Computers \ My Computer \ DCOM Config \ Windows Management and Instrumentation \ Properties \ Security \ Launch and Activation Permissions: adding missing Permissions for Group or User Names and adding names and permissions if missing.

In my research toward doing this, I've not found anything that's very satisfying.  
I'm happy to read and to develop but a better starting point would sure help!
Any suggestions would be appreciated.
Comment
Watch Question

Darrell PorterEnterprise Business Process Architect

Commented:
I haven't yet had the need to do this but a quick Google search found
this gem from the Microsoft Script Repository.

If you are not familiar with Powershell, I can take an in-depth look and write a script, with comments, for you.

Author

Commented:
Darrell:  Yes, I'd seen that.  And, I'm usually able to wade into Powershell things but this one is a bit cryptic for me.  

The key question I have for now is this:
Let's say I want to Grant-DCOMPermission to "joe" and give:
Access Permissions Limits: [All of them]
Launch and Activation Limits:[All of them]
Security \ Launch and Activation Permissions:[All of them]
Where does one get the AppIDs for this to use with the module?
Enterprise Business Process Architect
Commented:
$DCOM = Get-WmiObject Win32_DCOMApplication
$DCOM | Format-Table AppID, Caption -auto

Open in new window

Is a basic 2-line snippet which gathers the AppID and common object name for the DCOM objects into a collection in the first line then outputs the collection on the screen in human-readable format of AppID and the object's common name.
Darrell PorterEnterprise Business Process Architect
Commented:
Then you can do the following sort of construct:

Import-Module C:\Users\Fred\Scripts\Modules\DCOMPermissions.psm1
$DCOM = Get-WmiObject Win32_DCOMApplication
# get the Launch permissions for each existing DCOM app
ForEach ($app in $DCOM) { get-DcomPermission -AppID $app.AppID -type Launch }
# get the Access permissions for each existing DCOM app
ForEach ($app in $DCOM) { get-DcomPermission -AppID $app.AppID -type Access }

Open in new window


I am unclear as to the reason any one account would require every permission and via script it would be a bit ugly in comparison to the GUI.

    Possible values: 
      SeTrustedCredManAccessPrivilege      Access Credential Manager as a trusted caller
      SeNetworkLogonRight                  Access this computer from the network
      SeTcbPrivilege                       Act as part of the operating system
      SeMachineAccountPrivilege            Add workstations to domain
      SeIncreaseQuotaPrivilege             Adjust memory quotas for a process
      SeInteractiveLogonRight              Allow log on locally
      SeRemoteInteractiveLogonRight        Allow log on through Remote Desktop Services
      SeBackupPrivilege                    Back up files and directories
      SeChangeNotifyPrivilege              Bypass traverse checking
      SeSystemtimePrivilege                Change the system time
      SeTimeZonePrivilege                  Change the time zone
      SeCreatePagefilePrivilege            Create a pagefile
      SeCreateTokenPrivilege               Create a token object
      SeCreateGlobalPrivilege              Create global objects
      SeCreatePermanentPrivilege           Create permanent shared objects
      SeCreateSymbolicLinkPrivilege        Create symbolic links
      SeDebugPrivilege                     Debug programs
      SeDenyNetworkLogonRight              Deny access this computer from the network
      SeDenyBatchLogonRight                Deny log on as a batch job
      SeDenyServiceLogonRight              Deny log on as a service
      SeDenyInteractiveLogonRight          Deny log on locally
      SeDenyRemoteInteractiveLogonRight    Deny log on through Remote Desktop Services
      SeEnableDelegationPrivilege          Enable computer and user accounts to be trusted for delegation
      SeRemoteShutdownPrivilege            Force shutdown from a remote system
      SeAuditPrivilege                     Generate security audits
      SeImpersonatePrivilege               Impersonate a client after authentication
      SeIncreaseWorkingSetPrivilege        Increase a process working set
      SeIncreaseBasePriorityPrivilege      Increase scheduling priority
      SeLoadDriverPrivilege                Load and unload device drivers
      SeLockMemoryPrivilege                Lock pages in memory
      SeBatchLogonRight                    Log on as a batch job
      SeServiceLogonRight                  Log on as a service
      SeSecurityPrivilege                  Manage auditing and security log
      SeRelabelPrivilege                   Modify an object label
      SeSystemEnvironmentPrivilege         Modify firmware environment values
      SeManageVolumePrivilege              Perform volume maintenance tasks
      SeProfileSingleProcessPrivilege      Profile single process
      SeSystemProfilePrivilege             Profile system performance
      SeUnsolicitedInputPrivilege          Read unsolicited input from a terminal device
      SeUndockPrivilege                    Remove computer from docking station
      SeAssignPrimaryTokenPrivilege        Replace a process level token
      SeRestorePrivilege                   Restore files and directories
      SeShutdownPrivilege                  Shut down the system
      SeSyncAgentPrivilege                 Synchronize directory service data
      SeTakeOwnershipPrivilege             Take ownership of files or other objects

Open in new window


Since some of these rights conflict, I can only presume you mean you want the explicit allow permissions and not the explicit deny permissions.

You could simply use an array as follows:

$permissions = @(
#    Possible values: 
      SeTrustedCredManAccessPrivilege     # Access Credential Manager as a trusted caller
      SeNetworkLogonRight                 # Access this computer from the network
      SeTcbPrivilege                      # Act as part of the operating system
      SeMachineAccountPrivilege           # Add workstations to domain
      SeIncreaseQuotaPrivilege            # Adjust memory quotas for a process
      SeInteractiveLogonRight             # Allow log on locally
      SeRemoteInteractiveLogonRight       # Allow log on through Remote Desktop Services
      SeBackupPrivilege                   # Back up files and directories
      SeChangeNotifyPrivilege             # Bypass traverse checking
      SeSystemtimePrivilege               # Change the system time
      SeTimeZonePrivilege                 # Change the time zone
      SeCreatePagefilePrivilege           # Create a pagefile
      SeCreateTokenPrivilege              # Create a token object
      SeCreateGlobalPrivilege             # Create global objects
      SeCreatePermanentPrivilege          # Create permanent shared objects
      SeCreateSymbolicLinkPrivilege       # Create symbolic links
      SeDebugPrivilege                    # Debug programs
#   SeDenyNetworkLogonRight              Deny access this computer from the network
#   SeDenyBatchLogonRight                Deny log on as a batch job
#   SeDenyServiceLogonRight              Deny log on as a service
#   SeDenyInteractiveLogonRight          Deny log on locally
#   SeDenyRemoteInteractiveLogonRight    Deny log on through Remote Desktop Services
      SeEnableDelegationPrivilege         # Enable computer and user accounts to be trusted for delegation
      SeRemoteShutdownPrivilege           # Force shutdown from a remote system
      SeAuditPrivilege                    # Generate security audits
      SeImpersonatePrivilege              # Impersonate a client after authentication
      SeIncreaseWorkingSetPrivilege       # Increase a process working set
      SeIncreaseBasePriorityPrivilege     # Increase scheduling priority
      SeLoadDriverPrivilege               # Load and unload device drivers
      SeLockMemoryPrivilege               # Lock pages in memory
      SeBatchLogonRight                   # Log on as a batch job
      SeServiceLogonRight                 # Log on as a service
      SeSecurityPrivilege                 # Manage auditing and security log
      SeRelabelPrivilege                  # Modify an object label
      SeSystemEnvironmentPrivilege        # Modify firmware environment values
      SeManageVolumePrivilege             # Perform volume maintenance tasks
      SeProfileSingleProcessPrivilege     # Profile single process
      SeSystemProfilePrivilege            # Profile system performance
      SeUnsolicitedInputPrivilege         # Read unsolicited input from a terminal device
      SeUndockPrivilege                   # Remove computer from docking station
      SeAssignPrimaryTokenPrivilege       # Replace a process level token
      SeRestorePrivilege                  # Restore files and directories
      SeShutdownPrivilege                 # Shut down the system
      SeSyncAgentPrivilege                # Synchronize directory service data
      SeTakeOwnershipPrivilege            # Take ownership of files or other objects
)

Open in new window


Then use this new array variable and pass it into the Grant- or Revoke- functions as the -Permissions $permissions parameter.
Darrell PorterEnterprise Business Process Architect

Commented:
And if it is not evident, I tend to not use abbreviations or single-line commands when writing scripts for others.

It has been my experience scripts for others are far less maintainable when written using single-line commands and abbreviations.  This method of writing also makes it more difficult for novices to understand and pick apart.

Author

Commented:
By ALL, I meant:

For Access Permission / Limits
- Local Access
- Remote Access

For Launch and Activation Permission
- Local Launch
- Remote Launch
- Local Activation
- Remote Activation

But then are are also the App ID settings.  If I understand that, there is only ONE "app": Windows Management and Instrumentation

Author

Commented:
Thank you!!