wmi SetSecurityDescriptor

Question

Try to grant access right on systemroot by wmi with sddl, but get an error of invalid parameter. This is my function:

function GrantSysRoot
{
    Param (
        [string]$strcomputer
    )  
    $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
    $converter = New-Object System.Management.ManagementClass Win32_SecurityDescriptorHelper
    $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
    $newSDDL = $sddl.SDDL += "(" + $SRSDDL + ")"
    $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
    $result = $sec.SetSecurityDescriptor($Win32descriptor)

    if ($result.ReturnValue -eq 0) {
        LogWrite "Success SystemRoot setting rights"
    } 
    else {
        LogWrite "An error occured with SystemRoot rights settings"
    }
}

The SetSecurityDescriptor method returned Invalid parameter error. Have any idea?

Answer 1

Resolved, we have to use property "descriptor"

$result = $sec.SetSecurityDescriptor($Win32descriptor.Descriptor)

Answer 2

I think you made a small typo. In your code, I am not able to see anything defined with $SRSDDL but you are appending the data and storing in $newSDDL. Could you please re-verify that.

function GrantSysRoot
{
Param (
[string]$strcomputer
 )  
 $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
 $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
 $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
 $newSDDL = $sddl.SDDL += "(" + $SDDL + ")"
 $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
 $result = $sec.SetSecurityDescriptor($Win32descriptor)
 if ($result.ReturnValue -eq 0){LogWrite "Success SystemRoot setting rights"
    } else {LogWrite "An error occured with SystemRoot rights settings"}