Watching Microsoft Like a Hawk !I haven’t blogged in awhile because of things happening at work and too busy working on the Scripting Games scripts (Yeah right ) . I will write more soon .
Funny thing happened to me recently I was creating a script using vb-script and that restarted the WMI service on servers .Well I was using WMI in my script and well needless to say I had a lot of problems 🙂 .
Chris
I’m sure allot of you are entering the scripting games today if you have time too that it .I have done the first beginners challenge in Powershell . It took me awhile . I will post my code after the deadline . I will try and do the advanced challenge this weekend .
I’m doing all Powershell contests but you can do vbscript and perl as well .
Have Fun thats what its all about !
Powerhsell basics has a nice intro in .wmv format . The view go here.
Presenting Powershell this way visually will make it easier for people to learn . Videos are a great way to acheive that .
Thanks
Chris
I was trying to search for info on how to do this and came up with this . It uses a couple of classes .
First off we need to use the System.management namespace to retrieve these classes . So if your building a project make sure you add this namespace and also have a using statement .
using System.management;
The classes that are used are :
ManagementPath
ConnectionOptions
ManagementClass
Management Scope
ManagementObjectCollection
Here is the whole piece of code :
try
{
//New instance of the management path so we can use its properties
ManagementPath path = new ManagementPath();
//Set the Servername
path.Server = ServerName;
//Set the WMI namespace
path.NamespacePath = @"root\cimv2";
//Here we are using the default connections but we can also use different.
//Username and password if we need to.
ConnectionOptions oConn = new ConnectionOptions();
//Set the Scope ...Computername and WMI namespace
ManagementScope scope = new ManagementScope(path, oConn);
//Set the WMI Class
path.RelativePath = "Win32_Share";
//Set shares to null
ManagementClass Shares = null;//Here we are connecting using the Servername and WMI Namespace/Class
using (Shares = new ManagementClass(scope, path, null))
{
//Return a collection of Shares here
ManagementObjectCollection moc = Shares.GetInstances();
//Go thru each share and display its name property in the list box.
foreach (ManagementObject mo in moc)
{
lstShares.Items.Add(mo["Name"]);
}
}
}
catch (Exception) //catch any exceptions we might have .
{
MessageBox.Show("Unable to return sharenames . Please make share Servername is correct.");
}
}
I will explain more in a later Blog . Busy Day . This basically will return all shares (even Hidden Shares ) of a computer/Server. You can see that I'm putting the result in a listbox called lstShares.
Thanks
Chris
I tried this but I’m getting an “Access is denied” exception (after removing the trycatch). Any ideas?
Mark ,
Can you tell me which line is the the one giving the error ? Does it work with the Try and Catch ?
I think you do need Admin rights to the target machine .
Chris
I can add the administrator username and password and this code works fine. How can I get the instances of only those shares that have the “Everyone” account?
Hi Paul ,
I believe you would add code to the foreach loop . In there before adding the share to the listbox you can place code that checks to see if the everyone group is present and if so then add the share to the lisbox . I will try and look into doing that .
Chris
I know I said I was going to do more C# stuff but this powershell stuff is so cool 🙂 . If you ever have to do a massive task like set security across multiple servers on a particular Folder or Files you certainly do not want to do this manually . You can do this in a lot languages . In regular batch scripting using calcs.exe or vbcript . Today I’m going to give a powershell example using 2 cmdlets get-acl and set-acl.
So for example you had to set security on a folder c:\temp (not sure why you would want to but its just an example ) .
what you first have to do is get the ACL list from the folder like so :
$acl = Get-Acl c:\temp
next you can setup your account name that you want to add , Set the permission level (i.e. FullControl) and lastly set the allow permission or deny permission set .Lets take a look .
$permission = "domainName\Username","FullControl","Allow"
So now we use $permission in our .net class FileSystemAccessRule like so :
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
We instantiated to use the .net class and passed our variable to set our permisson but we have not set it yet .
$acl.SetAccessRule($accessRule)
$acl | Set-Acl c:\temp
Now we did . Now check your folder and it should show full control for the username you specified .
Cool huh ?
I know this may not replace a cacls.exe but it will do the job also this cmdlet (set-acl) will work on the registry provider too which calcs.exe doesn’t do .
Full program
$acl = Get-Acl c:\temp
$permission = "domain\user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl c:\temp
Hope this helps .
Chris
Superb, thanks for this. Just what I needed for my world domination script (provisioning new customers in a highly segregated terminal server hosting environment)
Super
But IS there a way to make this apply on a Subfolder and files
Thanks
Hi Faris ,
I believe you would have to use SetAccessRuleProtection something like this ($acl.SetAccessRuleProtection($true,$true)
I haven’t confirmed though . I will look into it .
Thanks
Chris
You need a different constructor. This sets the inheritanceflag:
$acl = get-acl -path “D:\Folder\test”
$new = “Local\User”,”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
$acl.SetAccessRule($accessRule)
$acl | Set-Acl “D:\Folder\test”
and how can i add multiple users with different rights?
user1 with full controll and user2 with modify?
thanks for some inputs.
Couldn’t get this to work. Getting this error:
Set-Acl : The security identifier is not allowed to be the owner of this object.
Craig, Try running it against a UNC path. For example, \\servername\d$\Folder\test
See this post on my blog for more.
http://fixingit.wordpress.com/2011/07/08/set-owner-with-powershell-%e2%80%9cthe-security-identifier-is-not-allowed-to-be-the-owner-of-this-object%e2%80%9d/
I spent all day trying to get permissions on a registry key that I didn’t already have. This particular key’s owner is “administrators”, however the administrators group has read only access to this particular key. Thus when you’d run the script, you’d get access denied even though being the owner should prevent this. So here’s how I worked around the issue:
Regini.exe (built into windows 7) can change permissions on the key, but it’s very limited as to which groups it can assign permissions to. So using powershell, I save the current ACL on the key, use regini.exe to give administrators full control, then use powershell to restore the permissions with the additions that I want.
#powershell only has drives defined for HKLM and HKCU. The other drives like Classes Root need to be defined like this.
new-psdrive -name HKCR -psprovider registry -root HKEY_CLASSES_ROOT
#A string holding the path of the registry key. For some reason it doesn’t like the curly braces if you combine this and the next command without a variable
$regkey = “HKCR:\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder”
#get the original key’s permissions
$acl = get-acl $regkey
#set the parameters of the acl that I want set
$person = [System.Security.Principal.NTAccount]”BUILTIN\ADMINISTRATORS”
$access = [System.Security.AccessControl.RegistryRights]”FullControl”
$inheritance = [System.Security.AccessControl.InheritanceFlags]”ContainerInherit”
$propagation = [System.Security.AccessControl.PropagationFlags]”None”
$type = [System.Security.AccessControl.AccessControlType]”Allow”
#create the accessrule object based on the previous parameters.
$accessRule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
#add the new access rule to the existing ACL so that the inherited permissions are still there.
$acl.AddAccessRule($accessRule)
#user regini to grant administrators full control to this key.
regini.exe c:\regini\test.ini
#put the edited acl back in place now that we have full control of this key.
Set-acl $regkey -aclobject $acl
********contents of c:\regini\test.ini The [1] including brackets tells it to give administrators full control.
HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder [1]
I wrote a post on the different possibilities for the permission level string, side by side with the well-know GUI.
I think it’s a nice addition to this post 🙂
Here it goes: http://camillelemouellic.blog.com/2011/07/22/powershell-security-descriptors-inheritance-and-propagation-flag-possibilities/
I am trying to gain access to a registry key. I can gain access manually by checking the “Repalce owner on subcontainers and objects” box in the advanced tab under owner tab in permissions. I would like to be able to “check” this box by utilizing script because I have to make a registry change on many computers. Most of them are currently running Vista. Any help would be appreciated.
Hi Keenan
I would use the .net method for changing permissions . When I’m changing keys or adding keys in the registry I use the plan old reg command (reg /?) combined with powershell .
See if this can help : (You can put the following script in a script.ps1 file then execute it with the invoke-command against a lot of machines.)
$acl = Get-Acl HKLM:\SOFTWARE\whatever
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (“domain\Username”,”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path HKLM:\SOFTWARE\whatever
Try this on a test machine
Hi Chris,
Thanks for your help. I had a similar instance of that code already but was having some troubles, you straightened that out. I am still having access control problems. Any ideas?
[string] $RegistryPath = “Software\odbc\odbcinst.ini\SQL Server”
[string] $RegistryKeyName = “CPTimeout”
[string] $RegistryValue = “”
[string] $RegistryType = “dword”
$acl = Get-Acl ‘HKLM:\SOFTWARE\odbc\odbcinst.ini\SQL Server’
$permission = “Administrator”,”FullControl”,”Allow”
$rule = New-Object System.Security.AccessControl.RegistryAccessRule $permission
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path ‘HKLM:\SOFTWARE\odbc\odbcinst.ini\SQL Server’
VALIDATE REG VALUE
Write-output “Connecting to $Computer for registry Check `r ”
$Registry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(‘LocalMachine’, $Computer)
$RegistryKey = $Registry.opensubkey($RegistryPath,$False) ## $False = ReadOnly
$RegistryKeyValue = $RegistryKey.getvalue($RegistryKeyName)
IF ($RegistryKeyValue -eq $RegistryValue) { $RegKeyValueSet = $True ; Write-Output “Registry key
on $Computer is already set ($RegistryKeyName has a value of $RegistryKeyValue) `r ” }
MODIFY VALUE
Write-output “Connecting to $Computer for registry modification `r ”
$Registry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(‘LocalMachine’, $Computer)
$RegistryKey = $Registry.opensubkey($RegistryPath,$true) ## $True = Write
$RegistryKeyValue = $RegistryKey.getvalue($RegistryKeyName)
$RegistryKey.SetValue($RegistryKeyName,$RegistryValue)
Write-output “Value has been changed to $RegistryValue.”
I keep getting this error:
Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”
At I:\RegKeyChange.ps1:23 char:36
+ $RegistryKey = $Registry.opensubkey <<<< ($RegistryPath,$true) ## $True = Write
Exception calling "SetValue" with "2" argument(s): "Cannot write to the registry key."
At I:\RegKeyChange.ps1:25 char:22
+ $RegistryKey.SetValue <<<< ($RegistryKeyName,$RegistryValue)
Thanks a bunch,
Keenan
I think because the remote registry service is not started . I think its set to manual by default ?
Also make sure in your permission variable that you have this
$permission = “Administrator”,”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
See if that helps …
That service is started and set to automatic on my computer as well as the one I am testing this script on. It still says registry access is not allowed. I may just have to manually make the change on each computer. Thanks for all your help, if you have any other ideas, I would be glad to hear.
Thanks!
Will that acl code allow me to change the owner of the key? It is set by default to ‘TrustedInstaller’ and I need to change the owner to Administrators; this is in addition to changing the permissions for admin to full control.
Thanks.
Hi Keenan … you might be getting access denied because of the ownership . I’m sorry I havn’t worked with permissions in the registry much but there is a cool utility called subinacl
Google it and download it and you can work it into your powershell script
Here is an example of the syntax :
subinacl /keyreg HKEY_CLASSES_ROOT /setowner=###
Hope this helps ..
Chris
I will give it a try, thanks.
Goddammit…
Many Thanks, the only Example which works in the whole internet…
Baarrr Thank you very much.
Is it just me, or is this not cool at all? Not the article (thanks for the info), I mean powershell vs windows gui, cmd, bash, etc – this is extremely long winded. 5 lines, 3 variables, and 220 words to do what with xcacls.exe is a simple, single line. I’m a big fan of the scope and power of powershell (appropriately titled) but on many occasions it seems to make simple tasks unnecessarily complicated.
Reply