I am trying to allow remote access for a user to a machine through WINRM
.
Somewhere on the internet, I found out that this will need modification of RootSDDL for the WINRM
configuration, and the value of it could be fetched like this:
(Get-Item WSMAN:\localhost\Service\RootSDDL).Value
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-XXXXX-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
Now the question is the following: When I know the SID
of the user I want to allow PowerShell remoting, how do I change the Security Descriptor
by adding an ACE
like (A;;GA;;;S-1-5-21-The-rest-of-my-user-SID)
?
Is there any code snippets to parse SDDL
into array of ACE
:s, modify it and parse it back?
This code isn't completely working, but if you fix the constructor parameters (in the $ArgumentList
variable) for the ObjectAce
object, you should be able to get it working. I'll try to come back to this a bit later and finish it off.
This example does show how to use the RawSecurityDescriptor
class to "import" SDDL, and then call the GetSDDLForm()
method to "export" it back to SDDL. All we need to figure out is how to properly construct the ObjectAce
object, and call InsertAce()
to add it to the RawSecurityDescriptor
object, before we export it to SDDL.
# Create a Security Descriptor from SDDL
$SD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)';
# Add a new Access Control Entry
# ObjectACE constructor docs: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectace.objectace(v=vs.110).aspx
$ArgumentList = @(
[System.Security.AccessControl.AceFlags]::None,
[System.Security.AccessControl.AceQualifier]::AccessAllowed,
1,
[System.Security.AccessControl.ObjectAceFlags]::None,
)
$ObjectACE = New-Object -TypeName System.Security.AccessControl.ObjectAce -ArgumentList $ArgumentList;
$SD.DiscretionaryAcl.InsertAce($ObjectACE);
# Convert the Security Descriptor back into SDDL
$SD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All);