DCOM machine level access and launch permissions via PowerShell

Question

Is it possible to set machine level "My Computer" access and launch permissions from PowerShell?

The equivalent of

DComPerm.exe -ma set name permit level:l,r
DComPerm.exe -ml set name permit level:l,r

I am looking for a solution using PowerShell v 3.0. The target servers are Windows Server 2008 R2 and 2012.

I have found a number of references for setting the DCOM application security settings. However I can't figure out how to set it at the machine or top level.

https://janbk.wordpress.com/2015/03/12/automating-dcom-acl-with-powershell/

Alternative to using DcomPerm.exe and SetAcl.exe in powershell

As i have suggested in the reference answer, have u looked into the Win32_DCOMApplicationSetting class.. — Ranadip Dutta
I am looking to set the permissions at the machine level. Win32_DCOMApplicationSettings seems to be at the application level only. — p0rkjello

S Gupta S Gupta · Accepted Answer · 2017-06-09T22:02:23

We have been using WMI to set Launch Permissions. Refer: https://rkeithhill.wordpress.com/2013/07/25/using-powershell-to-modify-dcom-launch-activation-settings/

This stopped working after windows security patches rolled out (patch #: 4012212, 4012213, and 4012213)

We converted WIM powershell script to use CIM and that took care of setting launch permissions on DCOM objects & works with the security patches. Code is below for reference:

$ComponentName = "TestComponent" #--- change value as needed
$Username = "Username"           #--- change value as needed
$Domain = "Domain"               #--- change value as needed

# If you already have a CimSession that you used to get the security descriptor, you can leave this line out and use the existing one:
$CimSession = New-CimSession localhost

Grant-DComAccessToUser -ComponentName $ComponentName -Username $Username -Domain $Domain

# Cleanup
$CimSession | Remove-CimSession

function Grant-DComAccessToUser {
    param(
        [Parameter(Mandatory=$true)][string] $ComponentName,
        [Parameter(Mandatory=$true)][string] $Username,
        [string] $Domain
    )

    $DCom = Get-CimInstance -Query "SELECT * from Win32_DCOMApplicationSetting WHERE Description LIKE '$ComponentName%'"

    $GetDescriptor = Invoke-CimMethod -InputObject $DCom -MethodName "GetLaunchSecurityDescriptor";

    $ExistingDacl = $GetDescriptor.Descriptor.DACL | Where {$_.Trustee.Name -eq $Username}

    if ($ExistingDacl)
    {
        $ExistingDacl.AccessMask = 11
    }
    else
    {
        $NewAce = New-DComAccessControlEntry -Domain $Domain -Username $Username
        $GetDescriptor.Descriptor.DACL += $NewAce
    }

    Invoke-CimMethod -InputObject $DCom -MethodName "SetLaunchSecurityDescriptor" -Arguments @{Descriptor=$GetDescriptor.Descriptor};
}

function New-DComAccessControlEntry {
    param(
        [Parameter(Mandatory=$true)][string] $Username,
        [string] $Domain
    )

    # Create the Win32_Trustee instance
    $Trustee = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_Trustee")
    $Trustee.Name = $Username
    $Trustee.Domain = $Domain

    # Create the Win32_ACE instance
    $Ace = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_ACE")
    $Ace.AceType = [uint32] [System.Security.AccessControl.AceType]::AccessAllowed
    $Ace.AccessMask = 11
    $Ace.AceFlags = [uint32] [System.Security.AccessControl.AceFlags]::None
    $Ace.Trustee = $Trustee

    $Ace    
}

DCOM machine level access and launch permissions via PowerShell

2 Answers