Created
May 28, 2021 13:45
-
-
Save jfrmilner/84314d79bf2708abff15313ff5f5d1ee to your computer and use it in GitHub Desktop.
Add Security Principal on Default WinRM SDDL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Add Security Principal on Default WinRM SDDL | |
| .EXAMPLE | |
| Change $user and run | |
| .NOTES | |
| Author: John Milner / jfrmilner | |
| Requires: Powershell V2 | |
| Filename: | |
| Version: v0.1 - 2021-02 - Test Version | |
| #> | |
| $user = "jdoe@jfrmilner.local" | |
| #Adding the below script should replace "winrm configSDDL default" | |
| $GENERIC_READ = 0x80000000 | |
| $GENERIC_WRITE = 0x40000000 | |
| $GENERIC_EXECUTE = 0x20000000 | |
| $GENERIC_ALL = 0x10000000 | |
| # get SID of user/group to add | |
| $user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier]) | |
| # get the existing SDDL of the WinRM listener | |
| $sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value | |
| # convert the SDDL string to a SecurityDescriptor object | |
| $sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl | |
| # apply a new DACL to the SecurityDescriptor object | |
| $sd.DiscretionaryAcl.AddAccess( | |
| [System.Security.AccessControl.AccessControlType]::Allow, | |
| $user_sid, | |
| ($GENERIC_READ -bor $GENERIC_EXECUTE), | |
| [System.Security.AccessControl.InheritanceFlags]::None, | |
| [System.Security.AccessControl.PropagationFlags]::None | |
| ) | |
| # get the SDDL string from the changed SecurityDescriptor object | |
| $new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All) | |
| # apply the new SDDL to the WinRM listener | |
| Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force | |
| #Winrm configsddl default | |
| Restart-Service WinRM | |
| Restart-Service Winmgmt -Force | |
You are right, it runs on Windows 10, looks like it's related to Windows Serv 2019.
Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.
Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.
Glad you're sorted, thanks for letting me know!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Looks ok:
The full error is this:
Windows:
PS: