Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 13, 2017 2:09 PM
I have created a Powershell Session. On this session I have assigned the permission "Full Control(All Operations)" to the local group "test". The user "test.com\User1" is a member of the local group "test"
Register-PSSessionConfiguration -Name CheckSQLInstallation -Force
Set-PSSessionConfiguration CheckSQLInstallation -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GAGXGR;;;S-1-5-21-1915948995-3197892710-3571138890-1021)(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)" -Force
When I run the script below, I get an "Access Denied" error. When I add the user "test.com\User1" to the local administrators group, the script runs fine.
$cred = Get-Credential "test.com\User1"
$mySession = New-PSSession -Credential $cred -ConfigurationName CheckSQLInstallation
$ServiceName = "MSSQL`$INST1"
[string]$ServiceAccount = (Invoke-Command -Session $mySession -ScriptBlock { Param($arg1) Get-WmiObject -Class win32_service | Where-Object {($_.Name -eq $arg1)} } -ArgumentList $ServiceName).StartName
$ServiceAccount
Access denied
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
+ PSComputerName : computer.test.com
I have also assigned the permissions below, but that doesn't help:
- Made the user "test.com\User1" a member of the "Distributed COM Users" and "Performance Monitor Users" groups
- In "WMI Control" i have assigned the user "test.com\User1" the permissions "Execute Method", "Enable Account" and "Remote Enable" on the "Root" level and all subfolders
- In DCOM, the "Distributed COM Users" group has all available permissions
Does anyone know how to solve this?
Regards,
Marco
All replies (10)
Friday, January 13, 2017 3:18 PM ✅Answered
@FWN: the error occurs during the Get-WMIObject statement. The user has the "Full Control" permission
@Both: I want to schedule this script on a remote server, which is going to query all of my servers. If I do not want to assign admin priviliges to the executing user I have to use a session.
Marco
No matter what method you use you will still have to give the account permission on the service object using "SC" as only full Admins can start and stop a service.
You can configure WMI to allow non-admins access by allowing a user or group remote DCOM and giving the group permissions on root\CimV2. THer is no need for remoting in this scenario and it will not work for what you are trying to do.
\(ツ)_/
Friday, January 13, 2017 2:29 PM
Hi Marco,
well, first of all: Where does this error occur? When creating the session or when invoking the command?
Is there a reason you are invoking the command, rather than remotely ask WMI or CIM?
Cheers,
Fred
Edit: When you run this, does your user have the correct permissions?
Get-PSSessionConfiguration "CheckSQLInstallation" | | Set-PSSessionConfiguration -ShowSecurityDescriptorUI
There's no place like 127.0.0.1
Friday, January 13, 2017 2:30 PM
What is the purpose of creating a session and then using Invoke-Command to run Get-WMIObject?
Get-WMIObject -ComputerName MyComputer runs on remote computer
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''
Friday, January 13, 2017 2:41 PM
Services require explicit permission per user when not an admin.
SC /?
the SC command can set the SDDL on the service.
DCOM is not part of this and you do not need to use remoting to manage a service although it will work if you set the serve security for the user/group you want to delegate to.
\(ツ)_/
Friday, January 13, 2017 2:43 PM
@FWN: the error occurs during the Get-WMIObject statement. The user has the "Full Control" permission
@Both: I want to schedule this script on a remote server, which is going to query all of my servers. If I do not want to assign admin priviliges to the executing user I have to use a session.
Marco
Friday, January 13, 2017 2:45 PM
How is creating a session going to give you admin privileges to a machine, if the user is not an admin? That would be a huge security flaw, if it did.
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''
Friday, January 13, 2017 2:51 PM
Clayman2: this article explains it: Article
Marco
Friday, January 13, 2017 9:21 PM
jrv,
thanks for your explanation. I have modified the permissions on the scmanager service and on the SQL service, so that the SID (of the login) has permissions to query them. I have removed the user from the groups "Distributed COM Users" and "Performance Monitor Users", because that was not neccessary anymore. On WMI it only has "Enable Account" and "Remote Enable" permissions.
It's working (also from a remote server)
sc.exe sdset scmanager "D:(A;;LCCC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRCLO;;;S-1-5-21-1915031995-3194922710-3571138890-1021)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
sc.exe sdset "MSSQL`$INST1" "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRPRCLO;;;S-1-5-21-1915031995-3194922710-3571138890-1021)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
So this is the final result:
function test
{
$ServiceName = "MSSQL`$INST1"
[string]$ServiceAccount = (Invoke-Command -Session $mySession -ScriptBlock { Param($arg1) Get-WmiObject -Class win32_service | Where-Object {($_.Name -eq $arg1)} } -ArgumentList $ServiceName).StartName
$ServiceAccount
}
$mySession = New-PSSession -ComputerName computer1.test.com -ConfigurationName CheckSQLInstallation
test
I run it as a scheduled task on computer2 under the privilege of user "test.com\User1" and it queries computer1.
I wish there would be an easier way.
Thanks,
Marco
Friday, January 13, 2017 9:41 PM
That will not work at all. You don't need a session. Just use WMI directly with DCOM.
Get-WmiObject win32_service -Filter "Name -eq 'MSSQL$INST1'"
Just run the scheduled task under the special user account and everything else will work.
You are way overcomplicating this.
\(ツ)_/
Saturday, January 14, 2017 12:14 PM
jrv,
thanks again. You are right. The script has become to complicated because of all the things I have tried to find a solution. You're statement works as well and is much simpler.
Regards,
Marco