1. 首頁
  2. 問答
  3. 通過PowerShell DCOM機器級別訪問和啓動權限

通過PowerShell DCOM機器級別訪問和啓動權限

2017-05-01 62 views
0

是否可以從PowerShell設置機器級別「我的電腦」訪問權限和啓動權限?通過PowerShell DCOM機器級別訪問和啓動權限

DComPerm.exe -ma set name permit level:l,r 
DComPerm.exe -ml set name permit level:l,r

等效我要找使用PowerShell 3.0版本的解決方案。目標服務器的Windows Server 2008 R2和2012年

My Computer Properties

我已經發現了一些用於設置DCOM應用程序的安全設置的參考。但是我不知道如何將它設置在機器或頂層。

https://janbk.wordpress.com/2015/03/12/automating-dcom-acl-with-powershell/

Alternative to using DcomPerm.exe and SetAcl.exe in powershell

來源

2017-05-01 p0rkjello

+0

正如我在參考答案人士建議,具有u進去看了Win32_DCOMApplicationSetting類.. –

+0

檢查此鏈接太:[鏈接](http://www.powertheshell.com/參考/ wmireference /根/ cimv2/win32_dcomapplicationsetting /) –

+0

我期待在機器級別設置權限。 Win32_DCOMApplicationSettings似乎只在應用程序級別。 – p0rkjello

回答

0

我們一直在使用WMI設置啓動權限。 參見:https://rkeithhill.wordpress.com/2013/07/25/using-powershell-to-modify-dcom-launch-activation-settings/

此停止後,推出了Windows安全補丁程序的(補丁#:4012212,4012213,和4012213)

我們轉換WIM PowerShell腳本使用CIM,要花上DCOM設置啓動權限的護理對象&適用於安全修補程序。代碼如下供參考:

$ComponentName = "TestComponent" #--- change value as needed 
$Username = "Username"   #--- change value as needed 
$Domain = "Domain"    #--- change value as needed 

# If you already have a CimSession that you used to get the security descriptor, you can leave this line out and use the existing one: 
$CimSession = New-CimSession localhost 

Grant-DComAccessToUser -ComponentName $ComponentName -Username $Username -Domain $Domain 

# Cleanup 
$CimSession | Remove-CimSession 

function Grant-DComAccessToUser { 
    param(
     [Parameter(Mandatory=$true)][string] $ComponentName, 
     [Parameter(Mandatory=$true)][string] $Username, 
     [string] $Domain 
    ) 

    $DCom = Get-CimInstance -Query "SELECT * from Win32_DCOMApplicationSetting WHERE Description LIKE '$ComponentName%'" 

    $GetDescriptor = Invoke-CimMethod -InputObject $DCom -MethodName "GetLaunchSecurityDescriptor"; 

    $ExistingDacl = $GetDescriptor.Descriptor.DACL | Where {$_.Trustee.Name -eq $Username} 

    if ($ExistingDacl) 
    { 
     $ExistingDacl.AccessMask = 11 
    } 
    else 
    { 
     $NewAce = New-DComAccessControlEntry -Domain $Domain -Username $Username 
     $GetDescriptor.Descriptor.DACL += $NewAce 
    } 

    Invoke-CimMethod -InputObject $DCom -MethodName "SetLaunchSecurityDescriptor" -Arguments @{Descriptor=$GetDescriptor.Descriptor}; 
} 

function New-DComAccessControlEntry { 
    param(
     [Parameter(Mandatory=$true)][string] $Username, 
     [string] $Domain 
    ) 

    # Create the Win32_Trustee instance 
    $Trustee = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_Trustee") 
    $Trustee.Name = $Username 
    $Trustee.Domain = $Domain 

    # Create the Win32_ACE instance 
    $Ace = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_ACE") 
    $Ace.AceType = [uint32] [System.Security.AccessControl.AceType]::AccessAllowed 
    $Ace.AccessMask = 11 
    $Ace.AceFlags = [uint32] [System.Security.AccessControl.AceFlags]::None 
    $Ace.Trustee = $Trustee 

    $Ace  
}

來源

2017-06-09 22:02:23

+0

除非我誤解了某些內容,否則這些腳本都使用「Win32_DCOMApplicationSetting」類。該課程提供應用程序級別設置/訪問。我正在尋找在「我的電腦」或頂級設置訪問權限,如原始屏幕截圖所示。謝謝 – p0rkjello

相關問題

 相關問題