Monday, January 14, 2013

Delegating WMI security remotely with powershell

A while back, I was working on a script for checking domain controller security event logs which needed to be handed off to a team that was not part of the Domain Admins group.  While they had permissions to access the security event logs through user rights in GPO, trying to read the event log through an MMC remotely is ridiculously slow.  A good solution was to use WMI with a tight filter for event ID's and a brief time window for the specific event.  The problem was, none of this team had WMI access.  So to go about fixing a few hundred domain controllers, I started poking around at WMI permissions.  You can edit this through the MMC->Component Services console.  But doing this via RDP on such a large scale is not an option.  There are some script examples in VB, such as this one.  But, being a powershell guy, I wanted to use some existing code and wrap in the additional lines to update the security.  So, what I did was created the permissions that I wanted on one specific machine (similar to the above article), and use powershell to pull the security descriptor.  The example below is delegating the common root\CimV2 namespace which contains the event log event classes.


#Collect your security descriptor

$sd = gwmi -namespace "root\cimv2" -Class __SystemSecurity -ComputerName $FixedMachine
$sdhelper = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$binarySD = @($null)
[void]$sd.PsBase.InvokeMethod("GetSD",$binarySD)

#At this point you can loop through a list of machines and push out the updated permissions.
$sdlocal = gwmi -Namespace "root\cimv2" -Class __SystemSecurity  -computername $remotemachine
$sdhelper2 = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
[Void]$sdlocal.psbase.invokemethod("SetSD",$binarySD)



For more details on the various types of permissions, you can reference this technet article.  For remote read-only, you can go with "remote enable", and "enable account".


2 comments:

  1. I know this post is very very old, but when I tried to run [Void]$sdlocal.psbase.invokemethod("SetSD",$binarySD) I got an error message that says: Exception calling "InvokeMethod" with "2" argument(s): "Unable to cast object of type 'System.Byte' to type
    'System.Array'." Just in case anybody is trying this in the future.

    ReplyDelete
  2. Thanks for sharing Adam. I will see if I can retry it to see if something has changed with newer OS's over the years. I have something similar running in one of my production scripts for 2012R2 servers, but its using "new-object System.Managment.ManagementClass Win32_securityDescriptHelper" and using that to convert a hardcoded SDDL string with .SDDLTOBinarySD($sddlstring). It then takes that value and puts it in a one element generic array, and uses the SetSD method with that. I don't remember the reason I wrote this one, but it looks like it would get around the error you see.

    ReplyDelete