How to Use PowerShell to Set WMI Permissions for FIM Self-Service Password Reset

  • Article

FIM ScriptBox Item

Summary

Setting the WMI permissions is a bit tedious and prone to error, especially if you have multiple environments and both a primary and standby server to configure.
This little script is provided as a way to simplify your deployment of FIM Self-Service Password Reset configuration tasks

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
 PARAM(
[string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"), 
$Computers = $(throw "`nMissing -Computers ('fimnode01','fimnode02')"))

# USAGE:
#
# .\Set-FIM-WMI.ps1 -Principal "DOMAIN\<group or username>" -Computers ('<server1>', '<server2>',...)
#
# EXAMPLE:
# .\Set-FIM-WMI.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers ('fimsyncprimary', 'fimsyncstandby')
#
# Inspired by Karl Mitschke's post:
# http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Write-Host "Set-FIM-WMI - Updates WMI Permissions for FIM Password Reset"
Write-Host "`tWritten by Brad Turner (bst2k@hotmail.com)"
Write-Host "`tBlog: http://www.identitychaos.com"

function get-sid
{
 PARAM ($DSIdentity)
 $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
 return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $Principal

#WMI Permission - Enable Account, Remote Enable for This namespace and subnamespaces
$WMISDDL = "A;CI;CCWP;;;$sid" 

#PartialMatch
$WMISDDLPartialMatch = "A;\w*;\w+;;;$sid"

foreach ($strcomputer in $computers)
{
  write-host "`nWorking on $strcomputer..."
  $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
  $binarySD = @($null)
  $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)

  # Convert the current permissions to SDDL
  write-host "`tConverting current permissions to SDDL format..."
  $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
  $CurrentWMISDDL = $converter.BinarySDToSDDL($binarySD[0])

  # Build the new permissions
  write-host "`tBuilding the new permissions..."
  if (($CurrentWMISDDL.SDDL -match $WMISDDLPartialMatch) -and ($CurrentWMISDDL.SDDL -notmatch $WMISDDL))
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL -replace $WMISDDLPartialMatch, $WMISDDL
  }
  else
  {
   $NewWMISDDL = $CurrentWMISDDL.SDDL += "(" + $WMISDDL + ")"
  }

  # Convert SDDL back to Binary
  write-host `t"Converting SDDL back into binary form..."
  $WMIbinarySD = $converter.SDDLToBinarySD($NewWMISDDL)
  $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
 
  # Apply the changes
  write-host "`tApplying changes..."
  if ($CurrentWMISDDL.SDDL -match $WMISDDL)
  {
    write-host "`t`tCurrent WMI Permissions matches desired value."
  }
  else
  {
   $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) 
   if($result='0'){write-host "`t`tApplied WMI Security complete."}
  }
}

 

 

Note

To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.

 

See Also