olljanat · September 10, 2024 10:04 · olljanat · Sep 10, 2024
diff --git a/Add-WMI-Remote-Readers.ps1 b/Add-WMI-Remote-Readers.ps1
 # Create local "WMI Remote Readers" group and grant read only permissions to WMI for it.
 # NOTE: "Distributed COM Users" group membership is also needed.
 $groupName = "WMI Remote Readers"
 $groupDescription = "Members of this group can remotely read WMI"
 $group = Get-LocalGroup -Name $groupName -ErrorAction SilentlyContinue
 if ($group) {
 	return
 }

 New-LocalGroup -Name $groupName -Description $groupDescription

 # Get current ACL
 Write-Host "Get Security Descriptor from WMI"
 $sd = Invoke-WmiMethod -Namespace "root" -Class "__systemsecurity" -Name "GetSecurityDescriptor"
 $acl = $sd.Descriptor

 # Get target account WMI object
 Write-Host "Finding Win32 account"
 $Win32Account = Get-WmiObject -Class Win32_Account -Filter "Domain='$env:COMPUTERNAME' and Name='$groupName'"
 if (-not $Win32Account) {
    Write-Error "Win32 account $env:COMPUTERNAME\$groupName not found"
    return
 }

 # Create access control entry
 Write-Host "Creating new access control entry"
 $ace=(New-Object System.Management.ManagementClass("Win32_Ace")).CreateInstance()
 $ace.AccessMask = 0x20 # RemoteEnable
 $ace.AceFlags = 0x2 # Inherit to sub objects
 $ace.AceType = 0x0 # Allow

 # The TRUSTEE structure identifies the group account to which an access control entry (ACE) applies.
 # The structure can use a name or a security identifier (SID) to identify the trustee.
 Write-Host "Creating new trustee"
 $trustee=(New-Object System.Management.ManagementClass("Win32_Trustee")).CreateInstance()
 $trustee.SidString = $Win32Account.SID
 $ace.Trustee=$trustee

 # Add new ACE to ACL and apply it
 $acl.DACL += $ace
 Write-Host "Set Security Descriptor to WMI"
 Invoke-WmiMethod -Namespace "root" -Path "__systemsecurity=@" -Name "SetSecurityDescriptor" -ArgumentList $acl

 # Force refresh by querying the namespace (optional step)
 Get-WmiObject -Namespace $namespace -Class "__namespace" | Out-Null
	# Create local "WMI Remote Readers" group and grant read only permissions to WMI for it.
	# NOTE: "Distributed COM Users" group membership is also needed.
	$groupName = "WMI Remote Readers"
	$groupDescription = "Members of this group can remotely read WMI"
	$group = Get-LocalGroup -Name $groupName -ErrorAction SilentlyContinue
	if ($group) {
	return
	}

	New-LocalGroup -Name $groupName -Description $groupDescription

	# Get current ACL
	Write-Host "Get Security Descriptor from WMI"
	$sd = Invoke-WmiMethod -Namespace "root" -Class "__systemsecurity" -Name "GetSecurityDescriptor"
	$acl = $sd.Descriptor

	# Get target account WMI object
	Write-Host "Finding Win32 account"
	$Win32Account = Get-WmiObject -Class Win32_Account -Filter "Domain='$env:COMPUTERNAME' and Name='$groupName'"
	if (-not $Win32Account) {
	Write-Error "Win32 account $env:COMPUTERNAME\$groupName not found"
	return
	}

	# Create access control entry
	Write-Host "Creating new access control entry"
	$ace=(New-Object System.Management.ManagementClass("Win32_Ace")).CreateInstance()
	$ace.AccessMask = 0x20 # RemoteEnable
	$ace.AceFlags = 0x2 # Inherit to sub objects
	$ace.AceType = 0x0 # Allow

	# The TRUSTEE structure identifies the group account to which an access control entry (ACE) applies.
	# The structure can use a name or a security identifier (SID) to identify the trustee.
	Write-Host "Creating new trustee"
	$trustee=(New-Object System.Management.ManagementClass("Win32_Trustee")).CreateInstance()
	$trustee.SidString = $Win32Account.SID
	$ace.Trustee=$trustee

	# Add new ACE to ACL and apply it
	$acl.DACL += $ace
	Write-Host "Set Security Descriptor to WMI"
	Invoke-WmiMethod -Namespace "root" -Path "__systemsecurity=@" -Name "SetSecurityDescriptor" -ArgumentList $acl

	# Force refresh by querying the namespace (optional step)
	Get-WmiObject -Namespace $namespace -Class "__namespace" \| Out-Null