Breaking my head over this, I'm trying to set a permission value in the Win32_TSAccount wmi space.
This works as expected, however to get it to remove the same permission again or deny is doesn't work.
I've tried every Boolean value type I could think of but none seem to work.
Btw, the reason I do this is because in Windows 2012 R2 and Windows 2016 you don't get a GUI anymore to set the permissions.
The permissions I'm trying to set are Shadowing permissions.
This part works, just removing or denying it again doesn't.
Here is my code:
 Code:
$strComputer = "."
$objWMIService = GetObject("winmgmts:\\" + $strComputer + "\root\CIMV2\TerminalServices")
$colItems = $objWMIService.ExecQuery("Select * from Win32_TSAccount where SID='S-1-5-32-555' and TerminalName='RDP-Tcp'",,48)
@SERROR ?
For Each $objItem in $colItems
  "AccountName: " + $objItem.AccountName ?
  "AuditFail: " + $objItem.AuditFail ?
  "AuditSuccess: " + $objItem.AuditSuccess ?
  "Caption: " + $objItem.Caption ?
  "Description: " + $objItem.Description ?
  "InstallDate: " + $objItem.InstallDate ?
  "Name: " + $objItem.Name ?
  "PermissionsAllowed: " + $objItem.PermissionsAllowed+" (&"+DecToHex($objItem.PermissionsAllowed)+")" ?

  If ($objItem.PermissionsAllowed & 1) = 1
    "-WINSTATION_QUERY" ?
  EndIf
  If ($objItem.PermissionsAllowed & 2) = 2
    "-WINSTATION_SET" ?
  EndIf
  If ($objItem.PermissionsAllowed & 4) = 4
    "-WINSTATION_LOGOFF" ?
  EndIf
  If ($objItem.PermissionsAllowed & 16) = 16
    "-WINSTATION_SHADOW" ?
  EndIf
  If ($objItem.PermissionsAllowed & 32) = 32
    "-WINSTATION_LOGON" ?
  EndIf
  If ($objItem.PermissionsAllowed & 64) = 64
    "-WINSTATION_RESET" ?
  EndIf
  If ($objItem.PermissionsAllowed & 128) = 128
    "-WINSTATION_MSG" + ?
  EndIf
  If ($objItem.PermissionsAllowed & 256) = 256
    "-WINSTATION_CONNECT" ?
  EndIf
  If ($objItem.PermissionsAllowed & 512) = 512
    "-WINSTATION_DISCONNECT " ?
  EndIf
  If ($objItem.PermissionsAllowed & 983048) = 983048
    "-WINSTATION_VIRTUAL" ?
  EndIf

  "PermissionsDenied: " + $objItem.PermissionsDenied ?
  "SID: " + $objItem.SID ?
  "Status: " + $objItem.Status ?
  "TerminalName: " + $objItem.TerminalName ?

;"Adding Shadow Permission" ?
;$objItem.ModifyPermissions(4,1)
;? @SERROR

  ?
Next


Documentation