Reference > Command Line Utilities >

DcomAcls

 Top  Previous  Next

DcomAcls is a command line utility to set and view security rights and properties for DCOM on computers. This utility is useful if you see the "WMI Access Denied" error during inventory scans. WMI uses DCOM for remote communication, and if your account doesn't have the proper authority, you will not be able to access WMI remotely. DcomAcls.exe can be included in a GPO to fix the DCOM security for large groups of people, or it can be used to set the permissions on individual computers. The Windows utility dcomcnfg.exe provides a GUI for setting these values. Use this MMC snapin for more information on the nature of these settings.

 

Syntax:

 

dcomacls -computer [computer] -allow [rights specifiers] -deny [rights specifiers] -none [rights specifiers] -view [rights specifiers] -property [property specifiers] -viewproperty [properties] 

 

The parameters can be used in any order.

 

-computer

Use this parameter to specify the computer to set or view. If omitted, then the current computer is used.

 

-allow, -deny, -none

Use to set the DCOM rights for a group or user. The format for the rights specifier is "right:user". There are six available rights, each with a short and long name which can be used in the specifier. The rights are:

 

AL.L        access-limits-local

AL.R        access-limits-remote

LL.LL        launch-limits-local-launch

LL.RL        launch-limits-remote-launch

LL.LA        launch-limits-local-activation

LL.RA        launch-limits-remote-activation

 

When specifying rights the wildcards * and ? can be used. The user name can contain a domain or if the domain is omitted, the current domain is used.

 

Allow grants the user the given right, deny revokes access, and none removes both allow and deny ACLs. To use more than one specifier at a time, separate them with commas.

 

Example:

 

-allow ll.*:domain\administrators (allows the domain\administrators group access to all launch-limit rights)

-allow *.L*:everyone,*:administrator 

 

-view

View is used to determine which rights to display. The specifier is the same as above, except that the user name can also use a wildcard. If no specifier is provided, then all rights for all users as shown.  To use more than one specifier at a time, separate them with commas.

 

Example:

 

-view *:domain\* (view all of the rights assigned to all domain users and groups)

 

-property

Sets DCOM properties on the computer. The format for each specifier is "name=value". The properties and their allowed values are:

 

Enabled

Turns DCOM on or off. Use the values true and false.

 

Internet

Turns on DCOM over HTTP. Use the values true and false.

 

Authentication

Specifies the type of DCOM authentication to use. Can be one of Default, None, Connect, Call, Packet, PacketIntegrity, or PacketPrivacy.

 

Impersonation

Specifies the type of impersonation for DCOM. Can be one of Default, Anonymous, Identify, Impersonate, or Delegate.

 

Reference

Turn on additional security for references. Not available if either None or Anonymous are selected for Authentication or Impersonation, respectively.

 

Example:

 

-property enabled=true,internet=false (turns on DCOM and turns off DCOM over HTTP)

 

-viewproperty

View the DCOM properties. The specifier is a comma separated list of the properties to show. If no specifier is given, then all properties are shown.

 

Example:

 

-viewproperty enabled,internet

 

-protocols

Set the protocols used by DCOM. The specifier is a comma separated list of the protocols to set. The order of the protocols affects their priority.

 

The following are the allowed protocols:

 

tcp        Connection-oriented TCP/IP

udp        Datagram UDP/IP

http        Tunneling TCP/IP

 

Example:

 

-protocols tcp,http

 

-viewprotocols

View the protocols which are currently set for use by DCOM.

 

Notes

Any changes are made prior to reading values to display, regardless of parameter order. Therefore, the rights and properties displayed will include any changes also specified on the command line.

 

Examples

 

# Views all rights on the computer named server

dcomacls -view -computer server

 

# Revokes remote access for the administrator user and then shows the results.

dcomacls -deny *remote*:administrator -view *:administrator

 

# Turns DCOM on and grants everyone full access

dcomacls -allow *:everyone -property enabled=true

Copyright © 2007-2009 Admin Arsenal, Inc.
To comment on this documentation please contact info@adminarsenal.com.