Page 1 of 1 1
Topic Options
#213175 - 2018-02-02 04:17 PM Win32_TSAccounts Permissions
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Breaking my head over this, I'm trying to set a permission value in the Win32_TSAccount wmi space.
This works as expected, however to get it to remove the same permission again or deny is doesn't work.
I've tried every Boolean value type I could think of but none seem to work.
Btw, the reason I do this is because in Windows 2012 R2 and Windows 2016 you don't get a GUI anymore to set the permissions.
The permissions I'm trying to set are Shadowing permissions.
This part works, just removing or denying it again doesn't.
Here is my code:
 Code:
$strComputer = "."
$objWMIService = GetObject("winmgmts:\\" + $strComputer + "\root\CIMV2\TerminalServices")
$colItems = $objWMIService.ExecQuery("Select * from Win32_TSAccount where SID='S-1-5-32-555' and TerminalName='RDP-Tcp'",,48)
@SERROR ?
For Each $objItem in $colItems
  "AccountName: " + $objItem.AccountName ?
  "AuditFail: " + $objItem.AuditFail ?
  "AuditSuccess: " + $objItem.AuditSuccess ?
  "Caption: " + $objItem.Caption ?
  "Description: " + $objItem.Description ?
  "InstallDate: " + $objItem.InstallDate ?
  "Name: " + $objItem.Name ?
  "PermissionsAllowed: " + $objItem.PermissionsAllowed+" (&"+DecToHex($objItem.PermissionsAllowed)+")" ?

  If ($objItem.PermissionsAllowed & 1) = 1
    "-WINSTATION_QUERY" ?
  EndIf
  If ($objItem.PermissionsAllowed & 2) = 2
    "-WINSTATION_SET" ?
  EndIf
  If ($objItem.PermissionsAllowed & 4) = 4
    "-WINSTATION_LOGOFF" ?
  EndIf
  If ($objItem.PermissionsAllowed & 16) = 16
    "-WINSTATION_SHADOW" ?
  EndIf
  If ($objItem.PermissionsAllowed & 32) = 32
    "-WINSTATION_LOGON" ?
  EndIf
  If ($objItem.PermissionsAllowed & 64) = 64
    "-WINSTATION_RESET" ?
  EndIf
  If ($objItem.PermissionsAllowed & 128) = 128
    "-WINSTATION_MSG" + ?
  EndIf
  If ($objItem.PermissionsAllowed & 256) = 256
    "-WINSTATION_CONNECT" ?
  EndIf
  If ($objItem.PermissionsAllowed & 512) = 512
    "-WINSTATION_DISCONNECT " ?
  EndIf
  If ($objItem.PermissionsAllowed & 983048) = 983048
    "-WINSTATION_VIRTUAL" ?
  EndIf

  "PermissionsDenied: " + $objItem.PermissionsDenied ?
  "SID: " + $objItem.SID ?
  "Status: " + $objItem.Status ?
  "TerminalName: " + $objItem.TerminalName ?

;"Adding Shadow Permission" ?
;$objItem.ModifyPermissions(4,1)
;? @SERROR

  ?
Next


Documentation

Top
#213176 - 2018-02-03 05:19 PM Re: Win32_TSAccounts Permissions [Re: Arend_]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
I had no issue with this working - Win-10, latest updates. First run was with code uncommented, second run the set code was commented. I ran this from an elevated command prompt as a local admin.
 Code:
(IHWD021) - C:\Temp>a
The operation completed successfully.
AccountName: BUILTIN\Remote Desktop Users
AuditFail: 0
AuditSuccess: 0
Caption:
Description:
InstallDate:
Name:
PermissionsAllowed: 289 (&121)
-WINSTATION_QUERY
-WINSTATION_LOGON
-WINSTATION_CONNECT
PermissionsDenied: 0
SID: S-1-5-32-555
Status:
TerminalName: RDP-Tcp
Adding Shadow Permission
0
The operation completed successfully.

(IHWD021) - C:\Temp>a
The operation completed successfully.
AccountName: BUILTIN\Remote Desktop Users
AuditFail: 0
AuditSuccess: 0
Caption:
Description:
InstallDate:
Name:
PermissionsAllowed: 305 (&131)
-WINSTATION_QUERY
-WINSTATION_SHADOW
-WINSTATION_LOGON
-WINSTATION_CONNECT
PermissionsDenied: 0
SID: S-1-5-32-555
Status:
TerminalName: RDP-Tcp
Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#213178 - 2018-02-03 05:27 PM Re: Win32_TSAccounts Permissions [Re: Glenn Barnas]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Also - while probably not an issue, you might be better served with "&" instead of "And" to force a binary comparison. you can simplify this. "$Val & 4" would zero all other bits, allowing a Boolean comparison - "If $Val & 4" instead of the mathematical comparison.

I use this construct extensively in several of my UDFs.

Glenn


Edited by Glenn Barnas (2018-02-03 08:56 PM)
_________________________
Actually I am a Rocket Scientist! \:D

Top
#213179 - 2018-02-03 06:48 PM Re: Win32_TSAccounts Permissions [Re: Glenn Barnas]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
I don't know what you are talking about Glenn? I AM using & instead of AND.
Furthermore, as I explained in the first post, getting to ADD permissions is not a problem.
Revoking of Denying the permission is a problem.

Top
#213182 - 2018-02-03 08:54 PM Re: Win32_TSAccounts Permissions [Re: Arend_]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Sorry about that - your're right about "&" vs "And" - I was confusing two different messages, one in email from a programming class, the other yours, and I combined my thoughts here. What I meant to reply here was simply that "&" forces all other bits to zero so you don't have to perform an equality check. I updated that post, striking the confusing part.

I recall a post a few years back where similar issue occurred. The false value actually had to be null despite being called a Boolean. Since Kix doesn't manipulate Nulls, I think the solution involved a VB call. I'll see if I can find that. It was an obscure process and I didn't think I'd ever need it, so I don't have it in my bag of tricks.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#213183 - 2018-02-03 09:56 PM Re: Win32_TSAccounts Permissions [Re: Glenn Barnas]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
For what it's worth, running similar code to set this to false in VBS returns error 0x80041010 - Invalid Class - on my workstation.
_________________________
Actually I am a Rocket Scientist! \:D

Top
Page 1 of 1 1


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (mole) and 405 anonymous users online.
Newest Members
Timothy, Jojo67, MaikSimon, kvn317, kixtarts2025
17874 Registered Users

Generated in 0.062 seconds in which 0.025 seconds were spent on a total of 14 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org