1. 首页
  2. 问答
  3. 通过PowerShell DCOM机器级别访问和启动权限

通过PowerShell DCOM机器级别访问和启动权限

2017-05-01 64 views
0

是否可以从PowerShell设置机器级别“我的电脑”访问权限和启动权限?通过PowerShell DCOM机器级别访问和启动权限

DComPerm.exe -ma set name permit level:l,r 
DComPerm.exe -ml set name permit level:l,r

等效我要找使用PowerShell 3.0版本的解决方案。目标服务器的Windows Server 2008 R2和2012年

My Computer Properties

我已经发现了一些用于设置DCOM应用程序的安全设置的参考。但是我不知道如何将它设置在机器或顶层。

https://janbk.wordpress.com/2015/03/12/automating-dcom-acl-with-powershell/

Alternative to using DcomPerm.exe and SetAcl.exe in powershell

来源

2017-05-01 p0rkjello

+0

正如我在参考答案人士建议,具有u进去看了Win32_DCOMApplicationSetting类.. –

+0

检查此链接太:[链接](http://www.powertheshell.com/参考/ wmireference /根/ cimv2/win32_dcomapplicationsetting /) –

+0

我期待在机器级别设置权限。 Win32_DCOMApplicationSettings似乎只在应用程序级别。 – p0rkjello

回答

0

我们一直在使用WMI设置启动权限。 参见:https://rkeithhill.wordpress.com/2013/07/25/using-powershell-to-modify-dcom-launch-activation-settings/

此停止后,推出了Windows安全补丁程序的(补丁#:4012212,4012213,和4012213)

我们转换WIM PowerShell脚本使用CIM,要花上DCOM设置启动权限的护理对象&适用于安全修补程序。代码如下供参考:

$ComponentName = "TestComponent" #--- change value as needed 
$Username = "Username"   #--- change value as needed 
$Domain = "Domain"    #--- change value as needed 

# If you already have a CimSession that you used to get the security descriptor, you can leave this line out and use the existing one: 
$CimSession = New-CimSession localhost 

Grant-DComAccessToUser -ComponentName $ComponentName -Username $Username -Domain $Domain 

# Cleanup 
$CimSession | Remove-CimSession 

function Grant-DComAccessToUser { 
    param(
     [Parameter(Mandatory=$true)][string] $ComponentName, 
     [Parameter(Mandatory=$true)][string] $Username, 
     [string] $Domain 
    ) 

    $DCom = Get-CimInstance -Query "SELECT * from Win32_DCOMApplicationSetting WHERE Description LIKE '$ComponentName%'" 

    $GetDescriptor = Invoke-CimMethod -InputObject $DCom -MethodName "GetLaunchSecurityDescriptor"; 

    $ExistingDacl = $GetDescriptor.Descriptor.DACL | Where {$_.Trustee.Name -eq $Username} 

    if ($ExistingDacl) 
    { 
     $ExistingDacl.AccessMask = 11 
    } 
    else 
    { 
     $NewAce = New-DComAccessControlEntry -Domain $Domain -Username $Username 
     $GetDescriptor.Descriptor.DACL += $NewAce 
    } 

    Invoke-CimMethod -InputObject $DCom -MethodName "SetLaunchSecurityDescriptor" -Arguments @{Descriptor=$GetDescriptor.Descriptor}; 
} 

function New-DComAccessControlEntry { 
    param(
     [Parameter(Mandatory=$true)][string] $Username, 
     [string] $Domain 
    ) 

    # Create the Win32_Trustee instance 
    $Trustee = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_Trustee") 
    $Trustee.Name = $Username 
    $Trustee.Domain = $Domain 

    # Create the Win32_ACE instance 
    $Ace = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_ACE") 
    $Ace.AceType = [uint32] [System.Security.AccessControl.AceType]::AccessAllowed 
    $Ace.AccessMask = 11 
    $Ace.AceFlags = [uint32] [System.Security.AccessControl.AceFlags]::None 
    $Ace.Trustee = $Trustee 

    $Ace  
}

来源

2017-06-09 22:02:23

+0

除非我误解了某些内容,否则这些脚本都使用“Win32_DCOMApplicationSetting”类。该课程提供应用程序级别设置/访问。我正在寻找在“我的电脑”或顶级设置访问权限,如原始屏幕截图所示。谢谢 – p0rkjello

相关问题

 相关问题