Set WMI namespace security via GPO (script)

 

 

This was an example of setting WMI security via a script - the specific question was: “Is there a way I can change the permissions on WMI (need to grant remote enable access) so I can grant a service account read access to certain machines via Group Policy?”

This came up on the activedir mailing list.

 

The short answer is – no you can’t do this via a standard policy setting. You can however do this via an admin logon script or a machine startup script.

The technical goo lies within the SetSD method of the __SystemSecurity class. It takes one parameter – which is the byte array that makes up the security descriptor.

Now – without going to too much trouble the byte array would be hard to get at via a simple VBScript. So we can take a little shortcut here.

We know the service account – let’s say the account name is “Matt” and the permissions will be the same on all machines. So let’s preset this security descriptor on one machine.

Open the compmgmt.msc snapin and go to the services \ WMI section. For this example I will be setting security on the \Root\MSAPPS12 namespace.

sd1

Add your security prinicipal and give him proper permissions ( for whatever you are trying to do )

sd2

Once you have done this you can close the snapin.

 

Now you need to retrieve the security descriptor in proper format..

 

You can use the following command to get this:

 

C:\>wmic /namespace:\\root\msapps12 /output:sd.txt path __systemsecurity call getSD

Now if we open c:\sd.txt

Here are the contents:

Executing (__systemsecurity)->getSD()

Method execution successful.

Out Parameters:

instance of __PARAMETERS

{

            ReturnValue = 0;

            SD = {1, 0, 4, 128, 148, 0, 0, 0, 164, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 128, 0, 4, 0, 0, 0, 0, 18, 24, 0, 63, 0, 6, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 0, 18, 20, 0, 19, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

};

The byte array we see is what we need.

Copy it and then place it into notepad – remove all the spaces and then insert it into the following script.

strSD = array( ** insert data here *** )

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\MSAPPS12")

set security = namespace.get("__systemsecurity=@")

nStatus = security.setsd(strSD)

Now, if we run this script as admin - it will replicate the same DACL on the namespace when run.

Here is a video of the whole thing in action.

No audio and its not the best quality - I didnt have time to do anything special to it,

 

The one part which could use some narration is the array from sd.txt :

 

You copy it then pop it into a clean instance of notepad - do a ctrl+h ( replace ) then in the top line just enter a space, and in the second line do a delete. You will replace all the spaces with this and then you can place it in the script.

 

 

 

 

Have fun..

 

spatdsg