wmi 设置安全描述符

Question

尝试通过 wmi 使用 sddl 授予对 systemroot 的访问权限，但出现参数无效的错误。 这是我的功能：

function GrantSysRoot
{
    Param (
        [string]$strcomputer
    )  
    $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
    $converter = New-Object System.Management.ManagementClass Win32_SecurityDescriptorHelper
    $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
    $newSDDL = $sddl.SDDL += "(" + $SRSDDL + ")"
    $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
    $result = $sec.SetSecurityDescriptor($Win32descriptor)

    if ($result.ReturnValue -eq 0) {
        LogWrite "Success SystemRoot setting rights"
    } 
    else {
        LogWrite "An error occured with SystemRoot rights settings"
    }
}

SetSecurityDescriptor 方法返回无效参数错误。有什么想法吗？

Answer 1

已解决，我们必须使用属性“描述符”

$result = $sec.SetSecurityDescriptor($Win32descriptor.Descriptor)

Answer 2

我认为你犯了一个小错误。在您的代码中，我看不到使用 $SRSDDL 定义的任何内容，但您正在附加数据并存储在 $newSDDL 中。请您重新验证一下。

function GrantSysRoot
{
Param (
[string]$strcomputer
 )  
 $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
 $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
 $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
 $newSDDL = $sddl.SDDL += "(" + $SDDL + ")"
 $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
 $result = $sec.SetSecurityDescriptor($Win32descriptor)
 if ($result.ReturnValue -eq 0){LogWrite "Success SystemRoot setting rights"
    } else {LogWrite "An error occured with SystemRoot rights settings"}