configuration wmiConfig { Import-DscResource -ModuleName 'PSDesiredStateConfiguration','cUserRightsAssignment' node localhost { script dcomWmiServiceLaunch { TestScript = { $userName = "testpatrickcloud10" $app = Get-WmiObject -Class win32_DCOMApplicationSetting | Where description -Like "Windows Management and Instrumentation" if (!($app.psbase.Scope.Options.EnablePrivileges)) { $app.psbase.Scope.Options.EnablePrivileges = $true } $descriptor = $app.GetLaunchSecurityDescriptor().descriptor if (($descriptor.dacl | Where-Object {$_.trustee.Name -eq ($userName.Split('\')[-1])}).AccessMask -eq 31) { return $true } else { return $false } } GetScript = { } SetScript = { $userName = "svcadmin" function Resolve-PrincipalToSID { param ( [parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$Principal ) try { [System.Security.Principal.SecurityIdentifier]$Identity = "$Principal" $SID = $Identity.Translate([System.Security.Principal.SecurityIdentifier]) $NTAccount = $SID.Translate([System.Security.Principal.NTAccount]) $OutputObject = [PSCustomObject]@{Name = $NTAccount.Value; SID = $SID.Value} return $OutputObject } catch { if ($Principal -match '^S-\d-(\d+-){1,14}\d+$') { [System.Security.Principal.SecurityIdentifier]$Identity = $Principal } else { [System.Security.Principal.NTAccount]$Identity = $Principal } $SID = $Identity.Translate([System.Security.Principal.SecurityIdentifier]) $NTAccount = $SID.Translate([System.Security.Principal.NTAccount]) $OutputObject = [PSCustomObject]@{Name = $NTAccount.Value; SID = $SID.Value} return $OutputObject } } $app = Get-WmiObject -Class win32_DCOMApplicationSetting | Where description -Like "Windows Management and Instrumentation" if (!($app.psbase.Scope.Options.EnablePrivileges)) { $app.psbase.Scope.Options.EnablePrivileges = $true } $descriptor = $app.GetLaunchSecurityDescriptor().descriptor if ($descriptor.dacl | Where-Object {$_.trustee.Name -eq ($userName.Split('\')[-1])}) { $temporarySecurityDescriptor = $descriptor $temporaryDACL = $descriptor.DACL $temporarySecurityDescriptor.DACL = $null ($temporaryDACL | Where-Object {$_.Trustee.Name -eq ($userName.Split('\')[-1])}).AccessMask = 31 foreach ($ace in $temporaryDACL) { $temporarySecurityDescriptor.DACL += $ace } $app.SetLaunchSecurityDescriptor($temporarySecurityDescriptor) } else { $temporarySecurityDescriptor = $descriptor $temporaryDACL = $descriptor.DACL $temporarySecurityDescriptor.DACL = $null $aceRecord = ([WMIClass]"Win32_ACE").CreateInstance() $trustee = ([WMIClass]"Win32_Trustee").CreateInstance() $trustee.Domain = $userName.Split('\')[0] $trustee.Name = $userName.Split('\')[-1] $trustee.SIDString = (Resolve-PrincipalToSID -Principal $userName).SID $aceRecord.Trustee = $Trustee $aceRecord.AccessMask = 31 $aceRecord.AceType = 0 $aceRecord.AceFlags = 0 $temporaryDACL += $aceRecord foreach ($ace in $temporaryDACL) { $temporarySecurityDescriptor.DACL += $ace } $app.SetLaunchSecurityDescriptor($temporarySecurityDescriptor) } } } script dcomWmiServiceConfiguration { TestScript = { $userName = "svcadmin" $app = Get-WmiObject -Class win32_DCOMApplicationSetting | Where description -Like "Windows Management and Instrumentation" if (!($app.psbase.Scope.Options.EnablePrivileges)) { $app.psbase.Scope.Options.EnablePrivileges = $true } $descriptor = $app.GetConfigurationSecurityDescriptor().descriptor if (($descriptor.dacl | Where-Object {$_.trustee.Name -eq ($userName.Split('\')[-1])}).AccessMask -eq 983103) { return $true } else { return $false } } GetScript = { } SetScript = { $userName = "svcadmin" function Resolve-PrincipalToSID { param ( [parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string]$Principal ) try { [System.Security.Principal.SecurityIdentifier]$Identity = "$Principal" $SID = $Identity.Translate([System.Security.Principal.SecurityIdentifier]) $NTAccount = $SID.Translate([System.Security.Principal.NTAccount]) $OutputObject = [PSCustomObject]@{Name = $NTAccount.Value; SID = $SID.Value} return $OutputObject } catch { if ($Principal -match '^S-\d-(\d+-){1,14}\d+$') { [System.Security.Principal.SecurityIdentifier]$Identity = $Principal } else { [System.Security.Principal.NTAccount]$Identity = $Principal } $SID = $Identity.Translate([System.Security.Principal.SecurityIdentifier]) $NTAccount = $SID.Translate([System.Security.Principal.NTAccount]) $OutputObject = [PSCustomObject]@{Name = $NTAccount.Value; SID = $SID.Value} return $OutputObject } } $app = Get-WmiObject -Class win32_DCOMApplicationSetting | Where description -Like "Windows Management and Instrumentation" if (!($app.psbase.Scope.Options.EnablePrivileges)) { $app.psbase.Scope.Options.EnablePrivileges = $true } $descriptor = $app.GetConfigurationSecurityDescriptor().descriptor if ($descriptor.dacl | Where-Object {$_.trustee.Name -eq ($userName.Split('\')[-1])}) { $temporarySecurityDescriptor = $descriptor $temporaryDACL = $descriptor.DACL $temporarySecurityDescriptor.DACL = $null ($temporaryDACL | Where-Object {$_.Trustee.Name -eq ($userName.Split('\')[-1])}).AccessMask = 983103 foreach ($ace in $temporaryDACL) { $temporarySecurityDescriptor.DACL += $ace } $app.SetConfigurationSecurityDescriptor($temporarySecurityDescriptor) } else { $temporarySecurityDescriptor = $descriptor $temporaryDACL = $descriptor.DACL $temporarySecurityDescriptor.DACL = $null $aceRecord = ([WMIClass]"Win32_ACE").CreateInstance() $trustee = ([WMIClass]"Win32_Trustee").CreateInstance() $trustee.Domain = $userName.Split('\')[0] $trustee.Name = $userName.Split('\')[-1] $trustee.SIDString = (Resolve-PrincipalToSID -Principal $userName).SID $aceRecord.Trustee = $Trustee $aceRecord.AccessMask = 983103 $aceRecord.AceType = 0 $aceRecord.AceFlags = 0 $temporaryDACL += $aceRecord foreach ($ace in $temporaryDACL) { $temporarySecurityDescriptor.DACL += $ace } $app.SetConfigurationSecurityDescriptor($temporarySecurityDescriptor) } } } script wmiRoot { TestScript = { if ((([wmiclass]"\\localhost\ROOT:__SystemSecurity").GetSecurityDescriptor().descriptor.dacl | Where-Object {$_.trustee.Name -eq "Authenticated Users"}).AccessMask -eq 19) { return $true } else { return $false } } GetScript = { } SetScript = { $descriptor = ([wmiclass]"\\localhost\ROOT:__SystemSecurity").GetSecurityDescriptor().descriptor $temporarySecurityDescriptor = $descriptor $temporaryDACL = $descriptor.DACL $temporarySecurityDescriptor.DACL = $null ($temporaryDACL | Where-Object {$_.Trustee.Name -eq "Authenticated Users"}).AccessMask = 19 foreach ($ace in $temporaryDACL) { $temporarySecurityDescriptor.DACL += $ace } ([wmiclass]"\\localhost\ROOT:__SystemSecurity").SetSecurityDescriptor($temporarySecurityDescriptor) Invoke-WmiMethod -Path '__systemsecurity=@' -Name SetSecurityDescriptor -ArgumentList } } cUserRight serviceImpersonate { Ensure = 'Present' Constant = 'SeImpersonatePrivilege' Principal = 'NT AUTHORITY\SERVICE' } } } wmiConfig