DCOM objects launch permissions help.

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Gorstag Gorstag 1 month, 2 weeks ago.

  • Author
    Posts
  • #55484
    Profile photo of Gorstag
    Gorstag
    Participant

    Here is an example of what I have been doing.

    $ComName = 'PrintNotify'
    $dcom = Get-WMIObject Win32_DCOMApplicationSetting `
                -Filter "Description='$ComName'" -EnableAllPrivileges
    $asd = $dcom.GetAccessSecurityDescriptor().Descriptor
    $csd = $dcom.GetConfigurationSecurityDescriptor().Descriptor
    $lsd = $dcom.GetLaunchSecurityDescriptor().Descriptor
    
    
    
    
    write-host "Local Service: " $dcom.LocalService
    write-host "Application ID: " $dcom.AppID
    write-host "Authentication Level: " $dcom.AuthenticationLevel
    write-host "Users: " $lsd.dacl.trustee.name
    

    So what I can determine is "Authentication Level" of blank = the "default" value. If I change the Authentication to an alternate value it does provide a value.

    However, the big concern is launch permissions. If I add a user and give it any single permission it now shows up as a user. If I remove all permissions it then removes the user from the DCOM object. What I can't figure out is how to determine what permissions are assigned to each user.

    So for example how would I determine that Administrators in this example is set to Local launch/activation but not remote?

  • #55724
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Given that DCOM is pretty ancient at this point, you're pretty much limited to what Microsoft has already provided in terms of automation – which ain't much. I'm not sure I'm seeing a way to do what you're asking – partially because that WMI object doesn't recurse through inherited privileges like Administrators would have.

    • #55733
      Profile photo of Gorstag
      Gorstag
      Participant

      First, thanks for the response.

      Basically, I am attempting to make a set of scripts that checks permissions for all files/registry keys/dcom etc for an entire installed product. I am leveraging accesschk.exe (from sysinternals) to pull the effective permissions of the registry and filesystem locations and got stuck trying to figure out how to pull DCOM permissions in an automated way.

      Do you know of another alternate way that I could script obtaining the users/permissions from a DCOM object? (If you don't know of the top of your head.. I am going to google/bing it too 🙂

You must be logged in to reply to this topic.