Spat's WebLog (Steve Patrick)

When things go wrong...

Set WMI namespace security via GPO (script)

Set WMI namespace security via GPO (script)

  • Comments 21

 

 

This was an example of setting WMI security via a script  - the specific question was: “Is there a way I can change the permissions on WMI (need to grant remote enable access) so I can grant a service account read access to certain machines via Group Policy?”

 

This came up on the activedir mailing list.

 

The short answer is – no you can’t do this via a standard policy setting. You can however do this via an admin logon script or a machine startup script.

 

The technical goo lies within the SetSD method of the __SystemSecurity class. It takes one parameter – which is the byte array that makes up the security descriptor.

 

Now – without going to too much trouble the byte array would be hard to get at via a simple VBScript. So we can take a little shortcut here.

 

We know the service account – let’s say the account name is “Matt” and the permissions will be the same on all machines. So let’s preset this security descriptor on one machine.

 

Open the compmgmt.msc snapin and go to the services \ WMI section. For this example I will be setting security on  the \Root\MSAPPS12 namespace.

 

 sd1

 

Add your security prinicipal and give him proper permissions ( for whatever you are trying to do )

 

sd2

 

Once you have done this you can close the snapin.

 

Now you need to retrieve the security descriptor in proper format..

 

You can use the following command to get this:

 

C:\>wmic /namespace:\\root\msapps12  /output:sd.txt path __systemsecurity call getSD

 

 

Now if we open c:\sd.txt

Here are the contents:

 

Executing (__systemsecurity)->getSD()

Method execution successful.

Out Parameters:

instance of __PARAMETERS

{

            ReturnValue = 0;

            SD = {1, 0, 4, 128, 148, 0, 0, 0, 164, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 128, 0, 4, 0, 0, 0, 0, 18, 24, 0, 63, 0, 6, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

};

 

 

The byte array we see is what we need.

Copy it and then place it into notepad – remove all the spaces and then insert it into the following script.

 

 

 

strSD = array(** insert data here ***)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\MSAPPS12")

set security = namespace.get("__systemsecurity=@")

nStatus = security.setsd(strSD)

 

 

Now, if we run this script as admin  - it will replicate the same DACL on the namespace when run.

 

Here is a video of the whole thing in action.

No audio and its not the best quality - I didnt have time to do anything special to it,

 

The one part which could use some narration is the array from sd.txt :

 

You copy it then pop it into a clean instance of notepad - do a ctrl+h ( replace ) then in the top line just enter a space, and in the second line do a delete. You will replace all the spaces with this and then you can place it in the script.

 

 

 

 

Have fun..

 

spatdsg

 

 

Leave a Comment
  • Please add 3 and 8 and type the answer here:
  • Post
  • Great info. Setting namespace security is not trivial and this is an excellent approach. Thanks!

  • Wow, this was EXACTLY what I was looking for... I thought I was dreaming when I came across this page.  Works perfectly for GPO and lets me deploy SNMP/WMI monitoring with Zenoss across all servers with little interference.  THANK YOU! :-D!

  • Thanks!  I needed to complete this for 100+ devices throughout my domain, so I utilized Group Policy to push the finalized script... what a time saver!!!!!

    :)

  • This script + the Dcomperm.exe (C++ source code) helps me to reach my objective of allowing a non priledged domain user execute remote wmi script on 8000 + PCs at the hospital.

    Thank you.

  • I think you just made my day! :) Thank you very much.

  • Amazing.

    Works perfectly.

    You're my hero of the day :)

    Thanks a lot.

  • Top stuff.  Exactly what we were looking for.

    Thanks :)

  • This is one of those pages who will be a lifesaver for years to come.

    thank you very much

  • For Windows Server 2003 (and 2003 R2) the namespace may be \\root\MSAPPS11 instead of 12.

    Awesome guide by the way.  Real life saver.

  • Thank you sooo much u just made my day !!!!!

    without this i would have to do the wmi secu config on 100 servers ;-P

  • many thanks, this is so easy and simply

    saved my a lot of work doing this manual

  • Thanks a lot

  • So if lets say Matt & Chris are the account names on the one machine where we derive the bits from, if I run the cscript with those bits on the other machinie, will it add both Matt and Chris to the security of cimv2?

  • So if lets say Matt & Chris are the account names on the one machine where we derive the bits from, if I run the cscript with those bits on the other machinie, will it add both Matt and Chris to the security of cimv2?

  • is there a way to do this in batch script?

Page 1 of 2 (21 items) 12