Created
May 28, 2021 13:45
-
-
Save jfrmilner/84314d79bf2708abff15313ff5f5d1ee to your computer and use it in GitHub Desktop.
Add Security Principal on Default WinRM SDDL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Add Security Principal on Default WinRM SDDL | |
.EXAMPLE | |
Change $user and run | |
.NOTES | |
Author: John Milner / jfrmilner | |
Requires: Powershell V2 | |
Filename: | |
Version: v0.1 - 2021-02 - Test Version | |
#> | |
$user = "jdoe@jfrmilner.local" | |
#Adding the below script should replace "winrm configSDDL default" | |
$GENERIC_READ = 0x80000000 | |
$GENERIC_WRITE = 0x40000000 | |
$GENERIC_EXECUTE = 0x20000000 | |
$GENERIC_ALL = 0x10000000 | |
# get SID of user/group to add | |
$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier]) | |
# get the existing SDDL of the WinRM listener | |
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value | |
# convert the SDDL string to a SecurityDescriptor object | |
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl | |
# apply a new DACL to the SecurityDescriptor object | |
$sd.DiscretionaryAcl.AddAccess( | |
[System.Security.AccessControl.AccessControlType]::Allow, | |
$user_sid, | |
($GENERIC_READ -bor $GENERIC_EXECUTE), | |
[System.Security.AccessControl.InheritanceFlags]::None, | |
[System.Security.AccessControl.PropagationFlags]::None | |
) | |
# get the SDDL string from the changed SecurityDescriptor object | |
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All) | |
# apply the new SDDL to the WinRM listener | |
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force | |
#Winrm configsddl default | |
Restart-Service WinRM | |
Restart-Service Winmgmt -Force | |
I've just tested the script on Windows 10 and Server 2016, both with PowerShell 5.1 and it worked as expected. Do you see the expected overloads if you run $sd.DiscretionaryAcl.AddAccess ?
Looks ok:
PS C:\Users\Administrator> $sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
PS C:\Users\Administrator> $sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl
PS C:\Users\Administrator> $sd.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False CommonSecurityDescriptor System.Security.AccessControl.GenericSecurityDescriptor
PS C:\Users\Administrator> $sd.DiscretionaryAcl.AddAccess
OverloadDefinitions
-------------------
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, int accessMask, System.Security.AccessControl.InheritanceFlags
inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags)
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, System.Security.AccessControl.ObjectAccessRule rule)
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, int accessMask, System.Security.AccessControl.InheritanceFlags
inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags, System.Security.AccessControl.ObjectAceFlags objectFlags, guid objectType, guid inheritedObjectType)
The full error is this:
Cannot find an overload for "AddAccess" and the argument count: "5".
At C:\Users\Administrator\Downloads\AddSecurityPrincipalonDefaultWinRMSDDL.ps1:39 char:1
+ $sddacl.AddAccess(
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodCountCouldNotFindBest
Windows:
PS C:\Users\Administrator> Get-ComputerInfo | Select WindowsProductName, WindowsVersion
WindowsProductName WindowsVersion
------------------ --------------
Windows Server 2019 Standard Evaluation 1809
PS:
PS C:\Users\Administrator\Downloads> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.19041.2364
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.2364
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
You are right, it runs on Windows 10, looks like it's related to Windows Serv 2019.
Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.
Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.
Glad you're sorted, thanks for letting me know!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Trying out your script, but I get following error:
Cannot find an overload for "AddAccess" and the argument count: "5"
Tried with PowerShell 5 and 7, same issue.
Checked documentation of the AddAccess function and it exists with 5 arguments, so not sure what is wrong.
Any help appreciated.
Thanks