Setting WMI root security

Anything VBScript-related, including Windows Script Host, WMI, ADSI, and more.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
bvanhecke
Posts: 2
Joined: Thu Jun 14, 2012 11:44 pm

Setting WMI root security

Post by bvanhecke »

Hey scripting guys,I need some expertise here. I'm trying to set some WMI security through vbscript and have created a script which does the job just fine. However this only works on my Windows 2008 servers, but not on Windows 2003. The problem is probably related to the GetSecurityDescriptor method which is apparantly not supported on Windows 2003. I already figured out that I need to use the .GetSD, but so far I have not been able to make this work on Windows 2003. If anyone can make this script work, this would be great as I'm a bit stuck here. Below you can find the working script for Windows 2008 : 'on error resume next' --------------------------------------------Declarations-------------------------------------------- Dim strComputer Dim strUserName Dim strUserPass Dim strUserFullName Dim strDcomPerms Dim strPath Dim strFolder Dim strSNMP Dim strLEGAL Dim objShell Dim objNetwork Dim objUser Dim objGroup Dim objComputer Dim objFSO Dim objFile Dim objControlFlags Dim objControlFlagsByName Dim objAccessRights Dim objAccessRightsByName Dim objAceFlags Dim objAceFlagsByName Dim objAceTypes Dim objAceTypesByName Dim objWMI Dim objSecuritySettings Dim objSD Dim objNewDict Dim strKey Dim objTrustee Dim arrDACL' ------------------------------------------End Declarations------------------------------------------ ' -------------------------------------------Set Variables--------------------------------------------' Set the current computer name Set objNetwork = CreateObject("Wscript.Network") strComputer = objNetwork.ComputerNamestrUsername="testuser"' -----------------------------------------End Set Variables------------------------------------------' -------------------------------------------Set Constants--------------------------------------------' Get/SetSecurityDescriptor Return Codes Const SUCCESS = 0 Const ACCESS_DENIED = 2 Const UNKNOWN_FAILURE = 8 Const PRIVILEGE_MISSING = 9 Const INVALID_PARAMETER = 21' -----------------------------------------End Set Constants------------------------------------------ ' --------------------------------------------WMI Config-----------------------------------------------' Control Flags Set objControlFlags = CreateObject("Scripting.Dictionary") objControlFlags.Add 32768, "SelfRelative" objControlFlags.Add 16384, "RMControlValid" objControlFlags.Add 8192, "SystemAclProtected" objControlFlags.Add 4096, "DiscretionaryAclProtected" objControlFlags.Add 2048, "SystemAclAutoInherited" objControlFlags.Add 1024, "DiscretionaryAclAutoInherited" objControlFlags.Add 512, "SystemAclAutoInheritRequired" objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired" objControlFlags.Add 32, "SystemAclDefaulted" objControlFlags.Add 16, "SystemAclPresent" objControlFlags.Add 8, "DiscretionaryAclDefaulted" objControlFlags.Add 4, "DiscretionaryAclPresent" objControlFlags.Add 2, "GroupDefaulted" objControlFlags.Add 1, "OwnerDefaulted" Set objControlFlagsByName = ValuesToKeys(objControlFlags)' WMI ACE Access Right Set objAccessRights = CreateObject("Scripting.Dictionary") objAccessRights.Add 262144, "WriteSecurity" objAccessRights.Add 131072, "ReadSecurity" objAccessRights.Add 32, "RemoteEnable" objAccessRights.Add 16, "ProviderWrite" objAccessRights.Add 8, "PartialWrite" objAccessRights.Add 4, "FullWrite" objAccessRights.Add 2, "ExecuteMethods" objAccessRights.Add 1, "EnableAccount" Set objAccessRightsByName = ValuesToKeys(objAccessRights)' ACE Flags Set objAceFlags = CreateObject("Scripting.Dictionary") objAceFlags.Add 128, "FailedAccess" objAceFlags.Add 64, "SuccessfulAccess" objAceFlags.Add 16, "Inherited" objAceFlags.Add 8, "InheritOnly" objAceFlags.Add 4, "NoPropagateInherit" objAceFlags.Add 2, "ContainerInherit" objAceFlags.Add 1, "ObjectInherit" Set objAceFlagsByName = ValuesToKeys(objAceFlags)' ACE Types Set objAceTypes = CreateObject("Scripting.Dictionary") objAceTypes.Add 0, "Allow" objAceTypes.Add 1, "Deny" Set objAceTypesByName = ValuesToKeys(objAceTypes)' Set WMI security Set objWMI = GetObject("winmgmts:" & strComputer & "rootCIMV2") Set objSecuritySettings = objWMI.Get("__SystemSecurity=@") objSecuritySettings.GetSecurityDescriptor objSD Set objACE = NewACE(strUserName, strComputer, Array("EnableAccount", "RemoteEnable"), True, "Allow") Set objSD = AddACE(objSD, objACE) objSecuritySettings.SetSecurityDescriptor objSD' ------------------------------------------End WMI Config---------------------------------------------' --------------------------------------------Functions------------------------------------------------' ======================================================================' Create a dictionary containing values of the passed dictionary as keys Function ValuesToKeys(objDict) Set objNewDict = CreateObject("Scripting.Dictionary") objNewDict.CompareMode = vbTextCompare For Each strKey in objDict If Not objNewDict.Exists(objDict(strKey)) Then objNewDict.Add objDict(strKey), strKey End If Next Set ValuesToKeys = objNewDict End Function' ======================================================================' ====================================================================== Function NewACE(strTrusteeName, strTrusteeDomain, arrAccessRights, booInherit, strAceType) Set objTrustee = GetObject("winmgmts:Win32_Trustee").SpawnInstance_ objTrustee.Name = strTrusteeName objTrustee.Domain = strTrusteeDomain Dim objACE : Set objACE = GetObject("winmgmts:Win32_ACE").SpawnInstance_ objACE.AccessMask = 0 For Each strAccessRight in arrAccessRights objACE.AccessMask = objACE.AccessMask + objAccessRightsByName(strAccessRight) Next If booInherit = True Then objACE.AceFlags = _ objAceFlagsByName("ContainerInherit") End If objACE.AceType = objAceTypesByName(strAceType) objACE.Trustee = objTrustee Set NewACE = objACEEnd Function' ======================================================================' ====================================================================== Function AddACE(objSD, objACE) arrDACL = objSD.DACL ReDim Preserve arrDACL(UBound(arrDACL) + 1) Set arrDACL(UBound(arrDACL)) = objACE objSD.DACL = arrDACL Set AddACE = objSD End Function' ======================================================================' --------------------------------------------Functions------------------------------------------------ ' ----------------------------------------------Cleanup------------------------------------------------ Set objShell = Nothing Set objUser = Nothing Set objGroup = Nothing Set objNetwork = Nothing Set objComputer = Nothing Set SetobjComputer = Nothing Set objFSO = Nothing Set objFile = Nothing Set objControlFlags = Nothing Set objControlFlagsByName = Nothing Set objAccessRights = Nothing Set objAccessRightsByName = Nothing Set objAceFlags = Nothing Set objAceFlagsByName = Nothing Set objAceTypes = Nothing Set objAceTypesByName = Nothing Set objWMI = Nothing Set objSecuritySettings = Nothing Set objSD = Nothing Set objNewDict = Nothing Set strKey = Nothing Set objTrustee = Nothing Set arrDACL = Nothing' --------------------------------------------End Cleanup---------------------------------------------- Thanks for helping me ou
t here! cheers, Bart

User avatar
bvanhecke
Posts: 2
Joined: Thu Jun 14, 2012 11:44 pm

Setting WMI root security

Post by bvanhecke »

thanks! Not directly the answer I was hoping for :-), but I'll have a look at the Powershell example to help me out here.... Cheers! Bart

Locked