Deploying DCOM settings with script or GPO.
I have a domain where workstations require DCOMCNFG to make DCOM settings for SIEM monitoring and for a production app's.
It's not too tough to make the settings manually but it's still time-consuming and tedious.
Having a GPO or script to set them would likely be very useful.
IF there were a script, I'd still prefer to deploy via GPO because of Windows updates making changes otherwise.
To be specific, using DCOMCNFG, we need to open My Computer properties and
1) set DOM Security / Access Permissions /Edit Limits by adding adding missing Permissions for Group or User Names and adding names and permissions if missing and
2) to do the same for DOM Security / Launch and Activation Permissions /Edit Limits
And going down the tree hierarchy to Console Root \ Computers \ My Computer \ DCOM Config \ Windows Management and Instrumentation \ Properties \ Security \ Launch and Activation Permissions: adding missing Permissions for Group or User Names and adding names and permissions if missing.
In my research toward doing this, I've not found anything that's very satisfying.
I'm happy to read and to develop but a better starting point would sure help!
Any suggestions would be appreciated.
It's not too tough to make the settings manually but it's still time-consuming and tedious.
Having a GPO or script to set them would likely be very useful.
IF there were a script, I'd still prefer to deploy via GPO because of Windows updates making changes otherwise.
To be specific, using DCOMCNFG, we need to open My Computer properties and
1) set DOM Security / Access Permissions /Edit Limits by adding adding missing Permissions for Group or User Names and adding names and permissions if missing and
2) to do the same for DOM Security / Launch and Activation Permissions /Edit Limits
And going down the tree hierarchy to Console Root \ Computers \ My Computer \ DCOM Config \ Windows Management and Instrumentation \ Properties \ Security \ Launch and Activation Permissions: adding missing Permissions for Group or User Names and adding names and permissions if missing.
In my research toward doing this, I've not found anything that's very satisfying.
I'm happy to read and to develop but a better starting point would sure help!
Any suggestions would be appreciated.
I haven't yet had the need to do this but a quick Google search found
this gem from the Microsoft Script Repository.
If you are not familiar with Powershell, I can take an in-depth look and write a script, with comments, for you.
this gem from the Microsoft Script Repository.
If you are not familiar with Powershell, I can take an in-depth look and write a script, with comments, for you.
Darrell: Yes, I'd seen that. And, I'm usually able to wade into Powershell things but this one is a bit cryptic for me.
The key question I have for now is this:
Let's say I want to Grant-DCOMPermission to "joe" and give:
Access Permissions Limits: [All of them]
Launch and Activation Limits:[All of them]
Security \ Launch and Activation Permissions:[All of them]
Where does one get the AppIDs for this to use with the module?
The key question I have for now is this:
Let's say I want to Grant-DCOMPermission to "joe" and give:
Access Permissions Limits: [All of them]
Launch and Activation Limits:[All of them]
Security \ Launch and Activation Permissions:[All of them]
Where does one get the AppIDs for this to use with the module?
$DCOM = Get-WmiObject Win32_DCOMApplication
$DCOM | Format-Table AppID, Caption -auto
Then you can do the following sort of construct:
I am unclear as to the reason any one account would require every permission and via script it would be a bit ugly in comparison to the GUI.
Since some of these rights conflict, I can only presume you mean you want the explicit allow permissions and not the explicit deny permissions.
You could simply use an array as follows:
Then use this new array variable and pass it into the Grant- or Revoke- functions as the -Permissions $permissions parameter.
Import-Module C:\Users\Fred\Scripts\Modules\DCOMPermissions.psm1
$DCOM = Get-WmiObject Win32_DCOMApplication
# get the Launch permissions for each existing DCOM app
ForEach ($app in $DCOM) { get-DcomPermission -AppID $app.AppID -type Launch }
# get the Access permissions for each existing DCOM app
ForEach ($app in $DCOM) { get-DcomPermission -AppID $app.AppID -type Access }
I am unclear as to the reason any one account would require every permission and via script it would be a bit ugly in comparison to the GUI.
Possible values:
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeNetworkLogonRight Access this computer from the network
SeTcbPrivilege Act as part of the operating system
SeMachineAccountPrivilege Add workstations to domain
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeInteractiveLogonRight Allow log on locally
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeBackupPrivilege Back up files and directories
SeChangeNotifyPrivilege Bypass traverse checking
SeSystemtimePrivilege Change the system time
SeTimeZonePrivilege Change the time zone
SeCreatePagefilePrivilege Create a pagefile
SeCreateTokenPrivilege Create a token object
SeCreateGlobalPrivilege Create global objects
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeDebugPrivilege Debug programs
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyServiceLogonRight Deny log on as a service
SeDenyInteractiveLogonRight Deny log on locally
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege Increase a process working set
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeSecurityPrivilege Manage auditing and security log
SeRelabelPrivilege Modify an object label
SeSystemEnvironmentPrivilege Modify firmware environment values
SeManageVolumePrivilege Perform volume maintenance tasks
SeProfileSingleProcessPrivilege Profile single process
SeSystemProfilePrivilege Profile system performance
SeUnsolicitedInputPrivilege Read unsolicited input from a terminal device
SeUndockPrivilege Remove computer from docking station
SeAssignPrimaryTokenPrivilege Replace a process level token
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeTakeOwnershipPrivilege Take ownership of files or other objects
Since some of these rights conflict, I can only presume you mean you want the explicit allow permissions and not the explicit deny permissions.
You could simply use an array as follows:
$permissions = @(
# Possible values:
SeTrustedCredManAccessPrivilege # Access Credential Manager as a trusted caller
SeNetworkLogonRight # Access this computer from the network
SeTcbPrivilege # Act as part of the operating system
SeMachineAccountPrivilege # Add workstations to domain
SeIncreaseQuotaPrivilege # Adjust memory quotas for a process
SeInteractiveLogonRight # Allow log on locally
SeRemoteInteractiveLogonRight # Allow log on through Remote Desktop Services
SeBackupPrivilege # Back up files and directories
SeChangeNotifyPrivilege # Bypass traverse checking
SeSystemtimePrivilege # Change the system time
SeTimeZonePrivilege # Change the time zone
SeCreatePagefilePrivilege # Create a pagefile
SeCreateTokenPrivilege # Create a token object
SeCreateGlobalPrivilege # Create global objects
SeCreatePermanentPrivilege # Create permanent shared objects
SeCreateSymbolicLinkPrivilege # Create symbolic links
SeDebugPrivilege # Debug programs
# SeDenyNetworkLogonRight Deny access this computer from the network
# SeDenyBatchLogonRight Deny log on as a batch job
# SeDenyServiceLogonRight Deny log on as a service
# SeDenyInteractiveLogonRight Deny log on locally
# SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeEnableDelegationPrivilege # Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege # Force shutdown from a remote system
SeAuditPrivilege # Generate security audits
SeImpersonatePrivilege # Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege # Increase a process working set
SeIncreaseBasePriorityPrivilege # Increase scheduling priority
SeLoadDriverPrivilege # Load and unload device drivers
SeLockMemoryPrivilege # Lock pages in memory
SeBatchLogonRight # Log on as a batch job
SeServiceLogonRight # Log on as a service
SeSecurityPrivilege # Manage auditing and security log
SeRelabelPrivilege # Modify an object label
SeSystemEnvironmentPrivilege # Modify firmware environment values
SeManageVolumePrivilege # Perform volume maintenance tasks
SeProfileSingleProcessPrivilege # Profile single process
SeSystemProfilePrivilege # Profile system performance
SeUnsolicitedInputPrivilege # Read unsolicited input from a terminal device
SeUndockPrivilege # Remove computer from docking station
SeAssignPrimaryTokenPrivilege # Replace a process level token
SeRestorePrivilege # Restore files and directories
SeShutdownPrivilege # Shut down the system
SeSyncAgentPrivilege # Synchronize directory service data
SeTakeOwnershipPrivilege # Take ownership of files or other objects
)
Then use this new array variable and pass it into the Grant- or Revoke- functions as the -Permissions $permissions parameter.
And if it is not evident, I tend to not use abbreviations or single-line commands when writing scripts for others.
It has been my experience scripts for others are far less maintainable when written using single-line commands and abbreviations. This method of writing also makes it more difficult for novices to understand and pick apart.
It has been my experience scripts for others are far less maintainable when written using single-line commands and abbreviations. This method of writing also makes it more difficult for novices to understand and pick apart.
By ALL, I meant:
For Access Permission / Limits
- Local Access
- Remote Access
For Launch and Activation Permission
- Local Launch
- Remote Launch
- Local Activation
- Remote Activation
But then are are also the App ID settings. If I understand that, there is only ONE "app": Windows Management and Instrumentation
For Access Permission / Limits
- Local Access
- Remote Access
For Launch and Activation Permission
- Local Launch
- Remote Launch
- Local Activation
- Remote Activation
But then are are also the App ID settings. If I understand that, there is only ONE "app": Windows Management and Instrumentation
Premium Content
You need an Expert Office subscription to comment.Start Free Trial