Home/ Questions/Q 8233229
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T18:03:51+00:00

I have been given the task of writing Powershell scripts to set up a

  • 0

I have been given the task of writing Powershell scripts to set up a server from scratch to run one of our services as part of a web application, and one of the steps required for setting this server up is changing the DCOM config for the installed service, specifically adding accounts to the “Launch and Activation”/”Access” Permissions and also set the permissions for these accounts once they have been added.

Is there a method of doing this using Powershell at all? I haven’t been able to find a concrete method of doing what I’m aiming to achieve so any help would be great

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looks like you would do it using WMI.

    Get an instance of: Win32_DCOMApplicationSetting like this:

    $dcom = Get-WMIObject -Class Win32_DCOMApplicationSetting -Filter 'Description="Something"'

    Now you have access to the SetAccessSecurityDescriptor and SetLaunchSecurityDescriptor methods.

    From: http://msdn.microsoft.com/en-us/library/windows/desktop/aa384905(v=vs.85).aspx

    DCOM applications

    DCOM application instances have several security descriptors. Starting
    with Windows Vista, use methods of the Win32_DCOMApplicationSetting
    class to get or change the various security descriptors. Security
    descriptors are returned as instances of the Win32_SecurityDescriptor
    class.

    To get or change the configuration permissions, call the
    GetConfigurationSecurityDescriptor or
    SetConfigurationSecurityDescriptor methods.

    To get or change the access permissions, call the
    GetAccessSecurityDescriptor or SetAccessSecurityDescriptor methods.

    To get or change the startup and activation permissions, call the
    GetLaunchSecurityDescriptor or SetLaunchSecurityDescriptor methods.

    Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and
    Windows Me/98/95: The Win32_DCOMApplicationSetting security
    descriptor methods are not available.

    There’s also a tool called DCOMPERM in which source code is available in the Windows SDK: http://www.microsoft.com/en-us/download/details.aspx?id=8279

    You can find compiled versions around online if you search for DCOMPERM compiled.

    Here are the command line options:

    Syntax: dcomperm <option> [...] 
Options:

Modify or list the machine access permission list 
-ma <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-ma list

Modify or list the machine launch permission list 
-ml <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-ml list

Modify or list the default access permission list 
-da <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-da list

Modify or list the default launch permission list 
-dl <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-dl list

Modify or list the access permission list for a specific AppID 
-aa <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] 
-aa <AppID> default 
-aa <AppID> list

Modify or list the launch permission list for a specific AppID 
-al <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] 
-al <AppID> default 
-al <AppID> list

level: 
    ll - local launch (only applies to {ml, dl, al} options) 
    rl - remote launch (only applies to {ml, dl, al} options) 
    la - local activate (only applies to {ml, dl, al} options) 
    ra - remote activate (only applies to {ml, dl, al} options) 
    l - local (local access - means launch and activate when used with {ml, dl, al} options) 
    r - remote (remote access - means launch and activate when used with {ml, dl, al} options)
    • 0