0

I am writing a script and trying to reduce the number of dependencies it has on external files. At the moment, I am making calls to DComPerm.exe and SetAcl.exe in the following manner:

DComPerm.exe

$newGroup = "JFSLJSDFJ\Mst-SvcAccounts"
$daListResult = .\DComPerm.exe -da list
$dlListResult = .\DComPerm.exe -dl list
.\DComPerm.exe -da set $newGroup permit level:r,l

SetACL.exe

$registryPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\34242342435435"
.\SetACL.exe -on $registryPath -ot reg -actn setowner -ownr "n:$machineHost\Administrators"
.\SetACL.exe -on $registryPath -ot reg -actn ace -ace "n:$machineHost\Administrators;p:full"

Is it possible to replace these calls with Powershell code instead to reduce the dependencies on the file?

methuselah
  • 12,766
  • 47
  • 165
  • 315

1 Answers1

2

You can use something like this:

$newGroup = "JFSLJSDFJ\Mst-SvcAccounts"
$daListResult = .\DComPerm.exe -da list
$dlListResult = .\DComPerm.exe -dl list

& ".\DComPerm.exe -da set $newGroup permit level:r,l"

OR

Invoke-Expression "& `".\DComPerm.exe -da set $newGroup permit level:r,l`""

OR

[System.Diagnostics.Process]::Start(".\DComPerm.exe -da set $newGroup permit level:r,l")

You can incorporate the same for the ACL also. You need some escape sequence while passing the parameters.

You can create an instance of Win32_DCOMApplicationSetting:

$dcomperm=Get-WMIObject -Class Win32_DCOMApplicationSetting

DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.

here is code I got from here for DCOM settings:

Reference Link : DCOM Settings

$user = "sql2012agent"
$domain = "MYDOMAIN"
$appdesc = "Microsoft SQL Server Integration Services 11.0"
$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE Description = "' + $appdesc + '"') -enableallprivileges
#$appid = "{83B33982-693D-4824-B42E-7196AE61BB05}"
#$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE AppId = "' + $appid + '"') -enableallprivileges
$sdRes = $app.GetLaunchSecurityDescriptor()
$sd = $sdRes.Descriptor
$trustee = ([wmiclass] 'Win32_Trustee').CreateInstance()
$trustee.Domain = $domain
$trustee.Name = $user
$fullControl = 31
$localLaunchActivate = 11
$ace = ([wmiclass] 'Win32_ACE').CreateInstance()
$ace.AccessMask = $localLaunchActivate
$ace.AceFlags = 0
$ace.AceType = 0
$ace.Trustee = $trustee
[System.Management.ManagementBaseObject[]] $newDACL = $sd.DACL + @($ace)
$sd.DACL = $newDACL
$app.SetLaunchSecurityDescriptor($sd)

Set-ACl will help you to do the SetACL.exe work

Hope it helps.

Community
  • 1
  • 1
Ranadip Dutta
  • 8,857
  • 3
  • 29
  • 45