8

I have been given the task of writing Powershell scripts to set up a server from scratch to run one of our services as part of a web application, and one of the steps required for setting this server up is changing the DCOM config for the installed service, specifically adding accounts to the "Launch and Activation"/"Access" Permissions and also set the permissions for these accounts once they have been added.

Is there a method of doing this using Powershell at all? I haven't been able to find a concrete method of doing what I'm aiming to achieve so any help would be great

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
Vermin
  • 917
  • 2
  • 11
  • 23

2 Answers2

16

Looks like you would do it using WMI.

Get an instance of: Win32_DCOMApplicationSetting like this:

$dcom = Get-WMIObject -Class Win32_DCOMApplicationSetting -Filter 'Description="Something"'

Now you have access to the SetAccessSecurityDescriptor and SetLaunchSecurityDescriptor methods.

From: http://msdn.microsoft.com/en-us/library/windows/desktop/aa384905(v=vs.85).aspx

DCOM applications

DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.

To get or change the configuration permissions, call the GetConfigurationSecurityDescriptor or SetConfigurationSecurityDescriptor methods.

To get or change the access permissions, call the GetAccessSecurityDescriptor or SetAccessSecurityDescriptor methods.

To get or change the startup and activation permissions, call the GetLaunchSecurityDescriptor or SetLaunchSecurityDescriptor methods.

Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and Windows Me/98/95: The Win32_DCOMApplicationSetting security descriptor methods are not available.

There's also a tool called DCOMPERM in which source code is available in the Windows SDK: http://www.microsoft.com/en-us/download/details.aspx?id=8279

You can find compiled versions around online if you search for DCOMPERM compiled.

Here are the command line options:

Syntax: dcomperm <option> [...] 
Options:

Modify or list the machine access permission list 
-ma <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-ma list

Modify or list the machine launch permission list 
-ml <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-ml list

Modify or list the default access permission list 
-da <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-da list

Modify or list the default launch permission list 
-dl <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-dl list

Modify or list the access permission list for a specific AppID 
-aa <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-aa <AppID> default 
-aa <AppID> list

Modify or list the launch permission list for a specific AppID 
-al <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-al <AppID> default 
-al <AppID> list

level: 
    ll - local launch (only applies to {ml, dl, al} options) 
    rl - remote launch (only applies to {ml, dl, al} options) 
    la - local activate (only applies to {ml, dl, al} options) 
    ra - remote activate (only applies to {ml, dl, al} options) 
    l - local (local access - means launch and activate when used with {ml, dl, al} options) 
    r - remote (remote access - means launch and activate when used with {ml, dl, al} options)
Andy Arismendi
  • 50,577
  • 16
  • 107
  • 124
  • Thanks Andy, that's helped a lot! In the end I used a mixture of both methods. I used the Win32_DCOMApplicationSetting to get the app ids, and then used DComPerm to add the required permissions. Something I found a little odd was that CMD ran DcomPerm with a lot less issues than Powershell, so to achieve what I needed, I wrote a batch file where certain variables were passed in, and called this from Powershell. – Vermin Jul 11 '12 at 08:09
  • @Vermin my guess would be the issues you had with PowerShell are probably syntax/command line parsing related. Maybe post the error you got? – Andy Arismendi Jul 11 '12 at 08:31
9

I had the same question as the OP. The answer Andy posted was very helpful and got me halfway. I then found the Set-DCOMLaunchPermissions written by someone to help them deploy SharePoint.

I adapted their function for my purposes and came up with a solution that sets the permissions I need.

$user = "sql2012agent"
$domain = "MYDOMAIN"
$appdesc = "Microsoft SQL Server Integration Services 11.0"
$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE Description = "' + $appdesc + '"') -enableallprivileges
#$appid = "{83B33982-693D-4824-B42E-7196AE61BB05}"
#$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE AppId = "' + $appid + '"') -enableallprivileges
$sdRes = $app.GetLaunchSecurityDescriptor()
$sd = $sdRes.Descriptor
$trustee = ([wmiclass] 'Win32_Trustee').CreateInstance()
$trustee.Domain = $domain
$trustee.Name = $user
$fullControl = 31
$localLaunchActivate = 11
$ace = ([wmiclass] 'Win32_ACE').CreateInstance()
$ace.AccessMask = $localLaunchActivate
$ace.AceFlags = 0
$ace.AceType = 0
$ace.Trustee = $trustee
[System.Management.ManagementBaseObject[]] $newDACL = $sd.DACL + @($ace)
$sd.DACL = $newDACL
$app.SetLaunchSecurityDescriptor($sd)
Elijah W. Gagne
  • 2,801
  • 4
  • 31
  • 29
  • I am trying to use the PS script posted by @Elijah W. Gagne above to configure DCOM and am getting the error "The property 'DACL' can not be found on this object. Verify that the property exists and can be set." The error is for the line "$sd.DACL = $newDACL". I am not very well versed in PS usage. Can anyone tell me what do I need to do to make that work. Thanks much! – RGuggisberg Sep 04 '15 at 16:32
  • I would run things until line 4. Then output the $app variable and confirm it's not empty (null). If it is, you probably have to adjust your WHERE clause in line 4. – Elijah W. Gagne Sep 08 '15 at 17:08
  • Yes, I had to change mine as I was using version 12.0 not 11.0 and I found the $app to be null. But after changing the $appdesc to be right for me the script worked a charm. – Alan Mullett Nov 15 '16 at 15:12
  • I can make this work only if I already have the Component Services - DCOM Config snapin loaded. Is there a way to do that programmatically? – RGuggisberg Feb 08 '19 at 16:31
  • 1
    Don't forget to use the -EnableAllPrivileges switch with the Get-WMIObject call, or the security descriptor will be null (which might be why you get an error that DACL cannot be found) – Markus Szumovski Sep 06 '19 at 09:10
  • I realize this is old but below would help dynamically pull the svc act `$getagtAct = { $command = @' select service_account from sys.dm_server_services where servicename like '%agent%' '@ $agtAct=Invoke-Sqlcmd -ServerInstance "." -Query $command -QueryTimeout 30000 return $agtAct } $agtAct = Invoke-Command -Session (New-PSSession -ComputerName $ServerName -Credential $RunAs -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)) -ScriptBlock $getagtAct ` – Nicholas McQuillen Sep 01 '23 at 16:29
  • and domain $domain = "$env:userdomain" – Nicholas McQuillen Sep 01 '23 at 16:29