Setting WMI ACLs via SetSecurityDescriptor

Question:

I can’t seem to be able to set WMI ACLs via Powershell. An invocation of

returns this exception:

SetSecurityDescriptor takes exactly one parameter of the __SecurityDescriptor type and the $acl object itself I am using in -Arguments seems alright:

From what I can get off the docs, I am invoking the Parameter Set: path overload, so the parameter set seems not to be missing required arguments.

I am basically ripping the code off this MSDN blog post on the very same topic and while GetSecurityDescriptor using a similar invocation gives the desired results:

the SetSecurityDescriptor keeps throwing exceptions on me. How do I get it working?

The code in context, for reference:

Answer:

In the article you refer to the call is different and those differences could well be important - the params are a single hashtable built up to include all the params as name/value pairs:

Source:

Setting WMI ACLs via SetSecurityDescriptor by licensed under CC BY-SA | With most appropriate answer!

"}
$win32account = Get-WmiObject @getparams
# and build a new Trustee object
$trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
$trustee.SidString = $win32account.Sid
$ace.Trustee = $trustee

# Add ACE to ACL
$acl.DACL += $ace.psobject.immediateBaseObject

# apply new ACL
$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams
$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
}
I also already have tried playing with the .AceFlags property as suggested in comments to the aforementioned blog post by Steve Lee – to no avail.

Answer:

In the article you refer to the call is different and those differences could well be important – the params are a single hashtable built up to include all the params as name/value pairs:

Source:

Setting WMI ACLs via SetSecurityDescriptor by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply