Huntland Services Ltd

Tel: +44 (0)1392-490518
Fax: +44 (0)1392-428003
Enquiries@huntland.co.uk

Setting Namespace Security Programatically

 
Back

Download Scripts 

Using wmimgmt.msc an administrator can modify the permissions on individual namespaces in the CIM Repository.  Sometimes it's useful to be able to modify these settings across a number of different systems, remotely and quickly.

These two scripts allows an administrator to choose the settings they want and then apply them to a targeted list of computers.  Because of the limitations of the scripting interface to Security Descriptors using WMI the mechanism requires an administrator to apply the desired settings to a test namespace, dump these to a file and finally apply them to the required namespace on a list of target machines.  Here are the instructions:

  1. You must have the appropriate permissions youself to modify the security settings in WMI.  Local Administrator is good.
  2. Create a dummy name space on a  test machine.  Use the sample MOF file 'Add_MyNameSpace.MOF' by running the command mofcomp.exe Add_MyNameSpace.MOF.  This creates two namespaces root\myNameSpace and root\myNameSpace\Test1.
  3. Configure the security settings on this namespace as required.  Be aware that some settings may be inherited.  To change the inheritance behaviour you must configure the parent namespace settings.
  4. Run Csript.exe GetNameSpaceSecurity.vbs "\\Server\root\myNameSpace" "C:\temp\myNameSpace.txt".  This will dump a string version of the Security Descriptor into the text file myNameSpace.txt.  You can call this file whatever you like.  You can also just as easily perform these tasks on any WMI namespace but myNameSpace is supplied here so you don't have to experiment with real stuff.  Notice that the namespace path must include the name of the server if it is remote.  Valid entries here would include "root\myNameSpace" for the local machine.
  5. Open your text file (myNameSpace.txt) and edit the [TargetList] section.  Add a comma separated list of the computers you want to modify the settings on.  Note this list must be on the next line immediuately after the [TargetList] section and contain no white spaces.  For example Server1,Server2,    Server3,Server4 will not work correctly.  How you create this list is up to you.  Anything that generates a comma separated list will do e.g. Excel, or scripts available elsewhere on this site.
  6. Run Csript.exe SetNameSpaceSecurity.vbs "root\something" "C:\temp\myNameSpace.txt".  This will apply the Security Descriptor from the text file onto the root\something namespace of all the computers listed in the [TargetList] section.  The script connects to each machine in turn and ouputs the result to the screen.  It will also list the computers that had errors and writes this back to your text file so you can copy and paste them into the [TargetList] for a re-run.  Notice that you do not specify a server name in the namespace path this time.  The server name is extracted from the text file and automatically concatenated to the namespace.  You can dump the security from one namespace and apply it to another.
  7. If you want to run this again you may want to delete [ErrorList] and [SuccessList] entries from the text input file.  Once you have dumped the security settings you can use this file any time again.

Please Note

Any kind of activity which makes remote connections and starts altering things is going to be subject to potentail occasional failures - e.g. connection lost.  It is therefore possible the modification process is interrupted unexpectedly.  A worst case scenario might leave WMI on a target system in a hung or inaccessible state.  In my experience this is unusual and easily cured by bouncing WMI or by manually re-setting the security or both.  However - BE WARNED!

Handling Inheritance

Experiment with the myNamespace and myNameSpace\Test1 namespaces to see how inheritance works.  If you want to modify the settings of a namespace which has inherited settings you must first modify the parent.  In WmiMgmt.msc you can use the Advanced button and edit the user so it's settings are not propagated down to sub namespaces.  Then configure the sub namespace as required.  Otherwise no matter what you configure will be overwritten by the parent settings.

Non-existent Accounts

If you take the settings off one machine and apply it to another it is always possible that the first machine's accounts may not be recognised by the second.  If so, it doesn't do any damage, the account is simply displayed as 'unknown' and of course is not going to work.  Settings that use well known groups (everyone) or domain accounts will not have any problems.

Remove 'MyNameSpace'

After succesfully deploying your new settings you may want to remove the test namespace.  Do this by running Mofcomp.exe Del_MyNameSpace.mof

 

Please accept the script as is.  Feedback will be gratefully accepted at Debug@huntland.co.uk