使用 Powershell 更改 DCOM 配置安全设置 [英] Change DCOM config security settings using Powershell

问题描述

我的任务是编写 Powershell 脚本以从头开始设置服务器以将我们的一项服务作为 Web 应用程序的一部分运行，设置此服务器所需的步骤之一是更改 DCOM 配置已安装的服务，特别是将帐户添加到启动和激活"/访问"权限，并在添加后设置这些帐户的权限.

I have been given the task of writing Powershell scripts to set up a server from scratch to run one of our services as part of a web application, and one of the steps required for setting this server up is changing the DCOM config for the installed service, specifically adding accounts to the "Launch and Activation"/"Access" Permissions and also set the permissions for these accounts once they have been added.

是否有使用 Powershell 执行此操作的方法?我一直无法找到一种具体的方法来实现我的目标，因此任何帮助都会很棒

Is there a method of doing this using Powershell at all? I haven't been able to find a concrete method of doing what I'm aiming to achieve so any help would be great

推荐答案

看起来你会使用 WMI 来完成.

Looks like you would do it using WMI.

获取一个实例:Win32_DCOMApplicationSetting 像这样:

Get an instance of: Win32_DCOMApplicationSetting like this:

$dcom = Get-WMIObject -Class Win32_DCOMApplicationSetting -Filter 'Description="Something"'

现在您可以访问 SetAccessSecurityDescriptor 和 SetLaunchSecurityDescriptor 方法.

Now you have access to the SetAccessSecurityDescriptor and SetLaunchSecurityDescriptor methods.

来自:http://msdn.microsoft.com/en-us/library/windows/desktop/aa384905(v=vs.85).aspx

DCOM 应用程序

DCOM 应用程序实例有几个安全描述符.开始对于 Windows Vista，使用 Win32_DCOMApplicationSetting 的方法类来获取或更改各种安全描述符.安全描述符作为 Win32_SecurityDescriptor 的实例返回班级.

DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.

要获取或更改配置权限，请调用GetConfigurationSecurityDescriptor 或SetConfigurationSecurityDescriptor 方法.

To get or change the configuration permissions, call the GetConfigurationSecurityDescriptor or SetConfigurationSecurityDescriptor methods.

要获取或更改访问权限，请调用GetAccessSecurityDescriptor 或 SetAccessSecurityDescriptor 方法.

To get or change the access permissions, call the GetAccessSecurityDescriptor or SetAccessSecurityDescriptor methods.

要获取或更改启动和激活权限，请调用GetLaunchSecurityDescriptor 或 SetLaunchSecurityDescriptor 方法.

To get or change the startup and activation permissions, call the GetLaunchSecurityDescriptor or SetLaunchSecurityDescriptor methods.

Windows Server 2003、Windows XP、Windows 2000、Windows NT 4.0 和Windows Me/98/95:Win32_DCOMApplicationSetting 安全性描述符方法不可用.

Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and Windows Me/98/95: The Win32_DCOMApplicationSetting security descriptor methods are not available.

还有一个名为 DCOMPERM 的工具，Windows SDK 中提供了该工具的源代码:http://www.microsoft.com/en-us/download/details.aspx?id=8279

There's also a tool called DCOMPERM in which source code is available in the Windows SDK: http://www.microsoft.com/en-us/download/details.aspx?id=8279

如果你搜索 DCOMPERM 编译，你可以在网上找到编译版本.

You can find compiled versions around online if you search for DCOMPERM compiled.

以下是命令行选项:

Syntax: dcomperm <option> [...] 
Options:

Modify or list the machine access permission list 
-ma <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-ma list

Modify or list the machine launch permission list 
-ml <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-ml list

Modify or list the default access permission list 
-da <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-da list

Modify or list the default launch permission list 
-dl <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-dl list

Modify or list the access permission list for a specific AppID 
-aa <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-aa <AppID> default 
-aa <AppID> list

Modify or list the launch permission list for a specific AppID 
-al <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-al <AppID> default 
-al <AppID> list

level: 
    ll - local launch (only applies to {ml, dl, al} options) 
    rl - remote launch (only applies to {ml, dl, al} options) 
    la - local activate (only applies to {ml, dl, al} options) 
    ra - remote activate (only applies to {ml, dl, al} options) 
    l - local (local access - means launch and activate when used with {ml, dl, al} options) 
    r - remote (remote access - means launch and activate when used with {ml, dl, al} options)

这篇关于使用 Powershell 更改 DCOM 配置安全设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！