Author Posts

October 20, 2016 at 11:15 pm

Here is an example of what I have been doing.

$ComName = 'PrintNotify'
$dcom = Get-WMIObject Win32_DCOMApplicationSetting `
            -Filter "Description='$ComName'" -EnableAllPrivileges
$asd = $dcom.GetAccessSecurityDescriptor().Descriptor
$csd = $dcom.GetConfigurationSecurityDescriptor().Descriptor
$lsd = $dcom.GetLaunchSecurityDescriptor().Descriptor

write-host "Local Service: " $dcom.LocalService
write-host "Application ID: " $dcom.AppID
write-host "Authentication Level: " $dcom.AuthenticationLevel
write-host "Users: " $

So what I can determine is "Authentication Level" of blank = the "default" value. If I change the Authentication to an alternate value it does provide a value.

However, the big concern is launch permissions. If I add a user and give it any single permission it now shows up as a user. If I remove all permissions it then removes the user from the DCOM object. What I can't figure out is how to determine what permissions are assigned to each user.

So for example how would I determine that Administrators in this example is set to Local launch/activation but not remote?

October 21, 2016 at 4:21 pm

Given that DCOM is pretty ancient at this point, you're pretty much limited to what Microsoft has already provided in terms of automation – which ain't much. I'm not sure I'm seeing a way to do what you're asking – partially because that WMI object doesn't recurse through inherited privileges like Administrators would have.

October 21, 2016 at 5:22 pm

First, thanks for the response.

Basically, I am attempting to make a set of scripts that checks permissions for all files/registry keys/dcom etc for an entire installed product. I am leveraging accesschk.exe (from sysinternals) to pull the effective permissions of the registry and filesystem locations and got stuck trying to figure out how to pull DCOM permissions in an automated way.

Do you know of another alternate way that I could script obtaining the users/permissions from a DCOM object? (If you don't know of the top of your head.. I am going to google/bing it too 🙂