我似乎无法通过 Powershell 设置 WMI ACL。调用
Invoke-WmiMethod -Name "SetSecurityDescriptor" -Path "__systemsecurity=@" -ArgumentList $acl.psobject.immediateBaseObject
返回这个异常:
Invoke-WmiMethod : Invalid method Parameter(s)
At line:1 char:17.
+ Invoke-WmiMethod <<<< -Name "SetSecurityDescriptor" -Path "__systemsecurity=@" -ArgumentList $acl.psobject.immediateBaseObject
+ CategoryInfo : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
+ FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod
SetSecurityDescriptor正好接受 __SecurityDescriptor 类型的一个参数和我在 -Arguments
中使用的 $acl
对象本身似乎没问题:
PS C:\Windows\system32> $acl | gm
TypeName: System.Management.ManagementBaseObject#\__SecurityDescriptor
Name MemberType Definition
---- ---------- ----------
ControlFlags Property System.UInt32 ControlFlags {get;set;}
DACL Property System.Management.ManagementObject#__ACE[] DACL ...
Group Property System.Management.ManagementObject#__ACE Group {...
Owner Property System.Management.ManagementObject#__ACE Owner {...
SACL Property System.Management.ManagementObject#__ACE[] SACL ...
TIME_CREATED Property System.UInt64 TIME_CREATED {get;set;}
__CLASS Property System.String __CLASS {get;set;}
__DERIVATION Property System.String[] __DERIVATION {get;set;}
__DYNASTY Property System.String __DYNASTY {get;set;}
__GENUS Property System.Int32 __GENUS {get;set;}
__NAMESPACE Property System.String __NAMESPACE {get;set;}
__PATH Property System.String __PATH {get;set;}
__PROPERTY_COUNT Property System.Int32 __PROPERTY_COUNT {get;set;}
__RELPATH Property System.String __RELPATH {get;set;}
__SERVER Property System.String __SERVER {get;set;}
__SUPERCLASS Property System.String __SUPERCLASS {get;set;}
从什么I can get off the docs ,我正在调用 Parameter Set: path
重载,因此参数集似乎没有缺少必需的参数。
我基本上是在撕掉代码 this MSDN blog post on the very same topic而使用类似调用的 GetSecurityDescriptor 给出了预期的结果:
$output = Invoke-WmiMethod -Path "__systemsecurity=@" -Name GetSecurityDescriptor
SetSecurityDescriptor 一直向我抛出异常。我如何让它工作?
上下文中的代码,供引用:
# connect to SystemSecurity
$invokeparams = @{Path="__systemsecurity=@"}
# get SecurityDescriptor with ACL
$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
if ($output.ReturnValue -ne 0) {
throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}
# ACL object reference is in the .Descriptor property
$acl = $output.Descriptor
$ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
# AccessMask is WBEM_ENABLE, $WBEM_METHOD_EXECUTE, $WBEM_WRITE_PROVIDER, $WBEM_REMOTE_ACCESS
$ace.AccessMask = 1 + 2 + 0x10 + 0x20
# AceFlags are $OBJECT_INHERIT_ACE_FLAG, $CONTAINER_INHERIT_ACE_FLAG
$ace.AceFlags = 0x01 + 0x2
# AceType is ACCESS_ALLOWED_ACE_TYPE
$ace.AceType = 0x1
# get user SID
$getparams = @{Class="Win32_Account";Filter="Domain='MYDOMAIN' and Name='SERVER$'"}
$win32account = Get-WmiObject @getparams
# and build a new Trustee object
$trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
$trustee.SidString = $win32account.Sid
$ace.Trustee = $trustee
# Add ACE to ACL
$acl.DACL += $ace.psobject.immediateBaseObject
# apply new ACL
$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams
$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
}
我也已经按照 aforementioned blog post by Steve Lee 评论中的建议尝试使用 .AceFlags 属性- 无济于事。
最佳答案
在您提到的文章中,调用是不同的,这些差异可能很重要 - 参数是一个单一的哈希表,构建为将所有参数作为名称/值对包括在内:
$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"}
$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams
$output = Invoke-WmiMethod @setparams
关于.net - 通过 SetSecurityDescriptor 设置 WMI ACL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21041778/