在所有域计算机上为非管理域用户设置WMI权限(根文件夹)

时间:2019-09-04 11:22:32

标签: powershell windows-server-2012 gpo

我无处可找到如何配置对wmi的访问。怎么做?我无处可找到如何配置对wmi的访问。怎么做?

enter image description here

PS我找到了一些代码,但是我需要对其进行更改以添加Execute methods并将其应用于所有子命名空间。

P.S.S我只需要找到描述符即可通过wmisddl允许MethodExecute ...请帮助我。 

function get-sid

    {
    Param (
    $DSIdentity
    )
    $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
    return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
    }
    $sid = get-sid $args[0]
    $SDDL = "A;CI;CCWP;;;$sid"
    $DCOMSDDL = "A;;CCDCRP;;;$sid"
    ForEach ($COMPUTER in (Get-ADComputer -Filter '*' | Select -ExpandProperty Name)){if(!(Test-Connection -Cn $COMPUTER -Quiet)) {write-host "cannot reach $computer" -f red} else {
        $Reg = [WMIClass]"\\$COMPUTER\root\default:StdRegProv"
        $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
        $security = Get-WmiObject -ComputerName $COMPUTER -Namespace root -Class __SystemSecurity
        $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
        $binarySD = @($null)
        $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
        $outsddl = $converter.BinarySDToSDDL($binarySD[0])
        $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
        $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
        $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
        $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
        $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
        $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
        $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
        $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
        $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)
        write-host "complete" -f green
    }}

0 个答案:

没有答案
相关问题
最新问题