Question [DCOM]

Salut,
pour la recherche cela dépend des mots clés utilisés.
Avec 'Powershell DCOMCNFG' on trouve par exemple ceci .
Avec 'C# DCOMCNFG' on trouve un peu de tout:
docs.microsoft.com/fr-fr/windows/desktop...aultaccesspermission


docs.microsoft.com/en-us/windows/desktop...omapplicationsetting


github.com/pauldotknopf/WindowsSDK7-Samp...entals/dcom/dcomperm


On peut donc tenter 'github dcomcnfg'

Ce qui donne une première piste, faut juste passer un peu de temps à analyser le code

Je n'ai jamais tavaillé sur ce sujet, mais c'est la première approche qui me vient à l'esprit.

Bonjour Razan,

Tout d'abord sois le bienvenu dans le forum, et merci à ton collègue de nous avoir recommandé

Je n'ai jamais essayé de faire ce que tu veux faire mais je veux bien creuser un peu le sujet (c'est ma curiosité naturelle).

... je me retrouve finalement à devoir, dans mon script, donner des droits pour \"Security COM\" via DCOMCNFG pour CIMV2 de WMI.

Comment est-ce que tu fais ça dans la console DCOMCNFG ?
Es-tu sûr que ce ne serait pas plutôt la console wmimgmt.msc ?

Sinon, voici un petit lien intéressant : Securing WMI Namespaces

Arnaud<br><br>Message édité par: Arnaud, à: 6/09/18 16:18

J'ai trouvé ce script qui a l'air de tout à fait répondre à ton besoin :

Source : Set WMI Namespace Security on a system

En plus il a été mis à jour il y a quelques jours, je pense que tu es verni

[code:1]
&lt;#
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service.
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims
all implied warranties including, without limitation, any implied warranties of merchantability
or of fitness for a particular purpose. The entire risk arising out of the use or performance
of the sample scripts and documentation remains with you. In no event shall Microsoft, its
authors, or anyone else involved in the creation, production, or delivery of the scripts be
liable for any damages whatsoever (including, without limitation, damages for loss of business
profits, business interruption, loss of business information, or other pecuniary loss) arising
out of the use of or inability to use the sample scripts or documentation, even if Microsoft
has been advised of the possibility of such damages.
#&gt;


&lt;#
.Synopsis
A Script for modifying the current security descriptor of a WMI namespace.
.DESCRIPTION
A Script for modifying the current security descriptor of a WMI namespace.
.EXAMPLE
Set-WMINamespaceSecurity.ps1 -namespace root/cimv2 -account \&quot;contoso\AD - Remote WMI Access\&quot; -operation Add -permissions Enable
.EXAMPLE
Set-WmiNamespaceSecurity.ps1 root/cimv2 add steve Enable,RemoteAccess
.NOTES
Blog links:

blogs.msdn.microsoft.com/wmi/2009/07/20/...ecurity-part-1-of-3/
blogs.msdn.microsoft.com/wmi/2009/07/23/...ecurity-part-2-of-3/
blogs.msdn.microsoft.com/wmi/2009/07/27/...ecurity-part-3-of-3/

Modified by Graeme Bray
Original Content by Steve Lee
Uploaded to Gallery with permission
#&gt;
Param ( [parameter(Mandatory=$true,Position=0)][string] $namespace,
[parameter(Mandatory=$true,Position=1)][string] $operation,
[parameter(Mandatory=$true,Position=2)][string] $account,
[parameter(Position=3)][string[]] $permissions = $null,
[bool] $allowInherit = $false,
[bool] $deny = $false,
[string] $computerName = \&quot;.\&quot;,
[System.Management.Automation.PSCredential] $credential = $null)

Process {
$ErrorActionPreference = \&quot;Stop\&quot;

Function Get-AccessMaskFromPermission($permissions) {
$WBEM_ENABLE = 1
$WBEM_METHOD_EXECUTE = 2
$WBEM_FULL_WRITE_REP = 4
$WBEM_PARTIAL_WRITE_REP = 8
$WBEM_WRITE_PROVIDER = 0x10
$WBEM_REMOTE_ACCESS = 0x20
$WBEM_RIGHT_SUBSCRIBE = 0x40
$WBEM_RIGHT_PUBLISH = 0x80
$READ_CONTROL = 0x20000
$WRITE_DAC = 0x40000

$WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,`
$WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,`
$READ_CONTROL,$WRITE_DAC
$WBEM_RIGHTS_STRINGS = \&quot;Enable\&quot;,\&quot;MethodExecute\&quot;,\&quot;FullWrite\&quot;,\&quot;PartialWrite\&quot;,`
\&quot;ProviderWrite\&quot;,\&quot;RemoteAccess\&quot;,\&quot;ReadSecurity\&quot;,\&quot;WriteSecurity\&quot;

$permissionTable = @{}

for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
$permissionTable.Add($WBEM_RIGHTS_STRINGS[$i].ToLower(), $WBEM_RIGHTS_FLAGS[$i])
}

$accessMask = 0

foreach ($permission in $permissions) {
if (-not $permissionTable.ContainsKey($permission.ToLower())) {
throw \&quot;Unknown permission: $permission`nValid permissions: $($permissionTable.Keys)\&quot;
}
$accessMask += $permissionTable[$permission.ToLower()]
}

$accessMask
}

if ($PSBoundParameters.ContainsKey(\&quot;Credential\&quot;«»)) {
$remoteparams = @{ComputerName=$computer;Credential=$credential}
} else {
$remoteparams = @{ComputerName=$computerName}
}

$invokeparams = @{Namespace=$namespace;Path=\&quot;__systemsecurity=@\&quot;} + $remoteParams

$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
if ($output.ReturnValue -ne 0) {
throw \&quot;GetSecurityDescriptor failed: $($output.ReturnValue)\&quot;
}

$acl = $output.Descriptor
$OBJECT_INHERIT_ACE_FLAG = 0x1
$CONTAINER_INHERIT_ACE_FLAG = 0x2

$computerName = (Get-WmiObject @remoteparams Win32_ComputerSystem).Name

if ($account.Contains('\')) {
$domainaccount = $account.Split('\')
$domain = $domainaccount[0]
if (($domain -eq \&quot;.\&quot;«») -or ($domain -eq \&quot;BUILTIN\&quot;«»)) {
$domain = $computerName
}
$accountname = $domainaccount[1]
} elseif ($account.Contains('@')) {
$domainaccount = $account.Split('@')
$domain = $domainaccount[1].Split('.')[0]
$accountname = $domainaccount[0]
} else {
$domain = $computerName
$accountname = $account
}

$getparams = @{Class=\&quot;Win32_Account\&quot;;Filter=\&quot;Domain='$domain' and Name='$accountname'\&quot;}

$win32account = Get-WmiObject @getparams

if ($win32account -eq $null) {
throw \&quot;Account was not found: $account\&quot;
}

switch ($operation) {
\&quot;add\&quot; {
if ($permissions -eq $null) {
throw \&quot;-Permissions must be specified for an add operation\&quot;
}
$accessMask = Get-AccessMaskFromPermission($permissions)

$ace = (New-Object System.Management.ManagementClass(\&quot;win32_Ace\&quot;«»)).CreateInstance()
$ace.AccessMask = $accessMask
if ($allowInherit) {
$ace.AceFlags = $OBJECT_INHERIT_ACE_FLAG + $CONTAINER_INHERIT_ACE_FLAG
} else {
$ace.AceFlags = 0
}

$trustee = (New-Object System.Management.ManagementClass(\&quot;win32_Trustee\&quot;«»)).CreateInstance()
$trustee.SidString = $win32account.Sid
$ace.Trustee = $trustee

$ACCESS_ALLOWED_ACE_TYPE = 0x0
$ACCESS_DENIED_ACE_TYPE = 0x1

if ($deny) {
$ace.AceType = $ACCESS_DENIED_ACE_TYPE
} else {
$ace.AceType = $ACCESS_ALLOWED_ACE_TYPE
}

$acl.DACL += $ace.psobject.immediateBaseObject
}

\&quot;delete\&quot; {
if ($permissions -ne $null) {
throw \&quot;Permissions cannot be specified for a delete operation\&quot;
}

[System.Management.ManagementBaseObject[]]$newDACL = @()
foreach ($ace in $acl.DACL) {
if ($ace.Trustee.SidString -ne $win32account.Sid) {
$newDACL += $ace.psobject.immediateBaseObject
}
}

$acl.DACL = $newDACL.psobject.immediateBaseObject
}

default {
throw \&quot;Unknown operation: $operation`nAllowed operations: add delete\&quot;
}
}

$setparams = @{Name=\&quot;SetSecurityDescriptor\&quot;;ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams

$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
throw \&quot;SetSecurityDescriptor failed: $($output.ReturnValue)\&quot;
}
}
[/code:1]