Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save jfrmilner/84314d79bf2708abff15313ff5f5d1ee to your computer and use it in GitHub Desktop.
Save jfrmilner/84314d79bf2708abff15313ff5f5d1ee to your computer and use it in GitHub Desktop.
Add Security Principal on Default WinRM SDDL
<#
.SYNOPSIS
Add Security Principal on Default WinRM SDDL
.EXAMPLE
Change $user and run
.NOTES
Author: John Milner / jfrmilner
Requires: Powershell V2
Filename:
Version: v0.1 - 2021-02 - Test Version
#>
$user = "jdoe@jfrmilner.local"
#Adding the below script should replace "winrm configSDDL default"
$GENERIC_READ = 0x80000000
$GENERIC_WRITE = 0x40000000
$GENERIC_EXECUTE = 0x20000000
$GENERIC_ALL = 0x10000000
# get SID of user/group to add
$user_sid = (New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $user).Translate([System.Security.Principal.SecurityIdentifier])
# get the existing SDDL of the WinRM listener
$sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
# convert the SDDL string to a SecurityDescriptor object
$sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl
# apply a new DACL to the SecurityDescriptor object
$sd.DiscretionaryAcl.AddAccess(
[System.Security.AccessControl.AccessControlType]::Allow,
$user_sid,
($GENERIC_READ -bor $GENERIC_EXECUTE),
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None
)
# get the SDDL string from the changed SecurityDescriptor object
$new_sddl = $sd.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)
# apply the new SDDL to the WinRM listener
Set-Item -Path WSMan:\localhost\Service\RootSDDL -Value $new_sddl -Force
#Winrm configsddl default
Restart-Service WinRM
Restart-Service Winmgmt -Force
@d4vydm
Copy link

d4vydm commented Jan 20, 2023

Looks ok:

PS C:\Users\Administrator> $sddl = (Get-Item -Path WSMan:\localhost\Service\RootSDDL).Value
PS C:\Users\Administrator> $sd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $false, $false, $sddl
PS C:\Users\Administrator> $sd.GetType()

IsPublic IsSerial Name                                     BaseType                                                                                                                                      
-------- -------- ----                                     --------                                                                                                                                      
True     False    CommonSecurityDescriptor                 System.Security.AccessControl.GenericSecurityDescriptor                                                                                       



PS C:\Users\Administrator> $sd.DiscretionaryAcl.AddAccess

OverloadDefinitions                                                                                                                                                                                      
-------------------                                                                                                                                                                                      
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, int accessMask, System.Security.AccessControl.InheritanceFlags              
inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags)                                                                                                                       
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, System.Security.AccessControl.ObjectAccessRule rule)                        
void AddAccess(System.Security.AccessControl.AccessControlType accessType, System.Security.Principal.SecurityIdentifier sid, int accessMask, System.Security.AccessControl.InheritanceFlags              
inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags, System.Security.AccessControl.ObjectAceFlags objectFlags, guid objectType, guid inheritedObjectType)        

The full error is this:

Cannot find an overload for "AddAccess" and the argument count: "5".
At C:\Users\Administrator\Downloads\AddSecurityPrincipalonDefaultWinRMSDDL.ps1:39 char:1
+ $sddacl.AddAccess(
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

Windows:

PS C:\Users\Administrator> Get-ComputerInfo | Select WindowsProductName, WindowsVersion

WindowsProductName                      WindowsVersion
------------------                      --------------
Windows Server 2019 Standard Evaluation 1809 

PS:

PS C:\Users\Administrator\Downloads> $PSVersionTable

Name                           Value                                                                                                                              
----                           -----                                                                                                                              
PSVersion                      5.1.19041.2364                                                                                                                     
PSEdition                      Desktop                                                                                                                            
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                            
BuildVersion                   10.0.19041.2364                                                                                                                    
CLRVersion                     4.0.30319.42000                                                                                                                    
WSManStackVersion              3.0                                                                                                                                
PSRemotingProtocolVersion      2.3                                                                                                                                
SerializationVersion           1.1.0.1     

@d4vydm
Copy link

d4vydm commented Jan 20, 2023

You are right, it runs on Windows 10, looks like it's related to Windows Serv 2019.

@d4vydm
Copy link

d4vydm commented Jan 24, 2023

Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.

@jfrmilner
Copy link
Author

Fixed! The $sd object was empty due to stupid mistake in the user and thus $sid info.

Glad you're sorted, thanks for letting me know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment