|
|
|||||||
Breaking my head over this, I'm trying to set a permission value in the Win32_TSAccount wmi space. This works as expected, however to get it to remove the same permission again or deny is doesn't work. I've tried every Boolean value type I could think of but none seem to work. Btw, the reason I do this is because in Windows 2012 R2 and Windows 2016 you don't get a GUI anymore to set the permissions. The permissions I'm trying to set are Shadowing permissions. This part works, just removing or denying it again doesn't. Here is my code: Code: $strComputer = "." $objWMIService = GetObject("winmgmts:\\" + $strComputer + "\root\CIMV2\TerminalServices") $colItems = $objWMIService.ExecQuery("Select * from Win32_TSAccount where SID='S-1-5-32-555' and TerminalName='RDP-Tcp'",,48) @SERROR ? For Each $objItem in $colItems "AccountName: " + $objItem.AccountName ? "AuditFail: " + $objItem.AuditFail ? "AuditSuccess: " + $objItem.AuditSuccess ? "Caption: " + $objItem.Caption ? "Description: " + $objItem.Description ? "InstallDate: " + $objItem.InstallDate ? "Name: " + $objItem.Name ? "PermissionsAllowed: " + $objItem.PermissionsAllowed+" (&"+DecToHex($objItem.PermissionsAllowed)+")" ? If ($objItem.PermissionsAllowed & 1) = 1 "-WINSTATION_QUERY" ? EndIf If ($objItem.PermissionsAllowed & 2) = 2 "-WINSTATION_SET" ? EndIf If ($objItem.PermissionsAllowed & 4) = 4 "-WINSTATION_LOGOFF" ? EndIf If ($objItem.PermissionsAllowed & 16) = 16 "-WINSTATION_SHADOW" ? EndIf If ($objItem.PermissionsAllowed & 32) = 32 "-WINSTATION_LOGON" ? EndIf If ($objItem.PermissionsAllowed & 64) = 64 "-WINSTATION_RESET" ? EndIf If ($objItem.PermissionsAllowed & 128) = 128 "-WINSTATION_MSG" + ? EndIf If ($objItem.PermissionsAllowed & 256) = 256 "-WINSTATION_CONNECT" ? EndIf If ($objItem.PermissionsAllowed & 512) = 512 "-WINSTATION_DISCONNECT " ? EndIf If ($objItem.PermissionsAllowed & 983048) = 983048 "-WINSTATION_VIRTUAL" ? EndIf "PermissionsDenied: " + $objItem.PermissionsDenied ? "SID: " + $objItem.SID ? "Status: " + $objItem.Status ? "TerminalName: " + $objItem.TerminalName ? ;"Adding Shadow Permission" ? ;$objItem.ModifyPermissions(4,1) ;? @SERROR ? Next Documentation |
||||||||
|
|
|||||||
I had no issue with this working - Win-10, latest updates. First run was with code uncommented, second run the set code was commented. I ran this from an elevated command prompt as a local admin. Code: (IHWD021) - C:\Temp>a The operation completed successfully. AccountName: BUILTIN\Remote Desktop Users AuditFail: 0 AuditSuccess: 0 Caption: Description: InstallDate: Name: PermissionsAllowed: 289 (&121) -WINSTATION_QUERY -WINSTATION_LOGON -WINSTATION_CONNECT PermissionsDenied: 0 SID: S-1-5-32-555 Status: TerminalName: RDP-Tcp Adding Shadow Permission 0 The operation completed successfully. (IHWD021) - C:\Temp>a The operation completed successfully. AccountName: BUILTIN\Remote Desktop Users AuditFail: 0 AuditSuccess: 0 Caption: Description: InstallDate: Name: PermissionsAllowed: 305 (&131) -WINSTATION_QUERY -WINSTATION_SHADOW -WINSTATION_LOGON -WINSTATION_CONNECT PermissionsDenied: 0 SID: S-1-5-32-555 Status: TerminalName: RDP-Tcp |
||||||||
|
|
|||||||
Also - while probably not an issue, I use this construct extensively in several of my UDFs. Glenn |
||||||||
|
|
|||||||
I don't know what you are talking about Glenn? I AM using & instead of AND. Furthermore, as I explained in the first post, getting to ADD permissions is not a problem. Revoking of Denying the permission is a problem. |
||||||||
|
|
|||||||
Sorry about that - your're right about "&" vs "And" - I was confusing two different messages, one in email from a programming class, the other yours, and I combined my thoughts here. What I meant to reply here was simply that "&" forces all other bits to zero so you don't have to perform an equality check. I updated that post, striking the confusing part. I recall a post a few years back where similar issue occurred. The false value actually had to be null despite being called a Boolean. Since Kix doesn't manipulate Nulls, I think the solution involved a VB call. I'll see if I can find that. It was an obscure process and I didn't think I'd ever need it, so I don't have it in my bag of tricks. Glenn |
||||||||
|
|
|||||||
For what it's worth, running similar code to set this to false in VBS returns error 0x80041010 - Invalid Class - on my workstation. |