Avatar of hypercube
Flag for United States of America asked on

Deploying DCOM settings with script or GPO.

I have a domain where workstations require DCOMCNFG to make DCOM settings for SIEM monitoring and for a production app's.
It's not too tough to make the settings manually but it's still time-consuming and tedious.
Having a GPO or script to set them would likely be very useful.
IF there were a script, I'd still prefer to deploy via GPO because of Windows updates making changes otherwise.

To be specific, using DCOMCNFG, we need to open My Computer properties and
1) set DOM Security / Access Permissions /Edit Limits by adding adding missing Permissions for Group or User Names and adding names and permissions if missing and
2) to do the same for DOM Security / Launch and Activation Permissions /Edit Limits
And going down the tree hierarchy to Console Root \ Computers \ My Computer \ DCOM Config \ Windows Management and Instrumentation \ Properties \ Security \ Launch and Activation Permissions: adding missing Permissions for Group or User Names and adding names and permissions if missing.

In my research toward doing this, I've not found anything that's very satisfying.  
I'm happy to read and to develop but a better starting point would sure help!
Any suggestions would be appreciated.
* gpos* DCOMWindows OSSecurity

Avatar of undefined
Last Comment

8/22/2022 - Mon
Darrell Porter

I haven't yet had the need to do this but a quick Google search found
this gem from the Microsoft Script Repository.

If you are not familiar with Powershell, I can take an in-depth look and write a script, with comments, for you.

Darrell:  Yes, I'd seen that.  And, I'm usually able to wade into Powershell things but this one is a bit cryptic for me.  

The key question I have for now is this:
Let's say I want to Grant-DCOMPermission to "joe" and give:
Access Permissions Limits: [All of them]
Launch and Activation Limits:[All of them]
Security \ Launch and Activation Permissions:[All of them]
Where does one get the AppIDs for this to use with the module?
Darrell Porter

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Darrell Porter

And if it is not evident, I tend to not use abbreviations or single-line commands when writing scripts for others.

It has been my experience scripts for others are far less maintainable when written using single-line commands and abbreviations.  This method of writing also makes it more difficult for novices to understand and pick apart.
Your help has saved me hundreds of hours of internet surfing.

By ALL, I meant:

For Access Permission / Limits
- Local Access
- Remote Access

For Launch and Activation Permission
- Local Launch
- Remote Launch
- Local Activation
- Remote Activation

But then are are also the App ID settings.  If I understand that, there is only ONE "app": Windows Management and Instrumentation

Thank you!!