{"id":3478,"date":"2012-03-09T14:28:34","date_gmt":"2012-03-09T12:28:34","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=3478"},"modified":"2013-11-30T13:09:00","modified_gmt":"2013-11-30T12:09:00","slug":"set-dcom-remote-access-via-powershell","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/set-dcom-remote-access-via-powershell\/","title":{"rendered":"Set DCOM remote access via PowerShell"},"content":{"rendered":"

\"\"If you want to use the Delivery Services Console (the management console of Citrix XenApp 6.x) from a remote machine, you need to enable remote access in DCOM (as described in CTX131829<\/a>).<\/p>\n

You can automate this via PowerShell using the script found below.<\/p>\n

<\/p>\n

Set-RemotePermission-DCOM.ps1<\/h4>\n
PARAM( \r\n\t[string]$Principal = $(throw \"`nMissing -Principal DOMAIN\\Group\"), \r\n\t$Computers = $(throw \"`nMissing -Computers ('server01','server02')\"))\r\n\r\n# USAGE: \r\n# .\\Set-RemotePermission-DCOM.ps1 -Principal \"DOMAIN\\\" -Computers ('', '',...)\r\n#\r\n# EXAMPLE:\r\n# .\\Set-RemotePermission-DCOM.ps1 -Principal \"DOMAIN\\LG-Citrix-Admins\" -Computers ('CTX_DC001', 'CTX_DC002')\r\n#\r\n# Inspired by Karl Mitschke's post:\r\n# https:\/\/unlockpowershell.wordpress.com\/2009\/11\/20\/script-remote-dcom-wmi-access-for-a-domain-user\/\r\n#\r\n# And inspired Brad Turner's post:\r\n# https:\/\/social.technet.microsoft.com\/Forums\/en-US\/ilm2\/thread\/5db2707c-87c9-4bb2-a0eb-912363e2814a\/\r\n\r\nfunction get-sid\r\n{\r\n PARAM ($DSIdentity)\r\n $ID = new-object System.Security.Principal.NTAccount($DSIdentity)\r\n return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()\r\n}\r\n\r\n$sid = get-sid $Principal\r\n\r\n#DefaultLaunchPermission - Local Launch, Remote Launch, Local Activation, Remote Activation\r\n$DCOMSDDLDefaultLaunchPermission = \"A;;CCDCLCSWRP;;;$sid\"\r\n\r\n#DefaultAccessPermision - Local Access, Remote Access\r\n$DCOMSDDLDefaultAccessPermision = \"A;;CCDCLC;;;$sid\"\r\n\r\n#PartialMatch\r\n$DCOMSDDLPartialMatch = \"A;;\\w+;;;$sid\"\r\n\r\nforeach ($strcomputer in $computers)\r\n{\r\n write-host \"`nWorking on $strcomputer with principal $Principal ($sid):\"\r\n # Get the respective binary values of the DCOM registry entries\r\n $Reg = [WMIClass]\"\\\\$strcomputer\\root\\default:StdRegProv\"\r\n $DCOMDefaultLaunchPermission = $Reg.GetBinaryValue(2147483650,\"software\\microsoft\\ole\",\"DefaultLaunchPermission\").uValue\r\n $DCOMDefaultAccessPermission = $Reg.GetBinaryValue(2147483650,\"software\\microsoft\\ole\",\"DefaultAccessPermission\").uValue\r\n\r\n # Convert the current permissions to SDDL\r\n write-host \"`tConverting current permissions to SDDL format...\"\r\n $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper\r\n $CurrentDCOMSDDLDefaultLaunchPermission = $converter.BinarySDToSDDL($DCOMDefaultLaunchPermission)\r\n $CurrentDCOMSDDLDefaultAccessPermission = $converter.BinarySDToSDDL($DCOMDefaultAccessPermission)\r\n\r\n # Build the new permissions\r\n if (($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))\r\n {\r\n   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission\r\n }\r\n else\r\n {\r\n   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL + \"(\" + $DCOMSDDLDefaultLaunchPermission + \")\"\r\n }\r\n\r\n if (($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -notmatch $DCOMSDDLDefaultAccessPermision))\r\n {\r\n   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultAccessPermision\r\n }\r\n else\r\n {\r\n   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL + \"(\" + $DCOMSDDLDefaultAccessPermision + \")\"\r\n }\r\n\r\n # Convert SDDL back to Binary\r\n write-host \"`tConverting SDDL back into binary form...\"\r\n $DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultLaunchPermission)\r\n $DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD\r\n\r\n $DCOMbinarySDDefaultAccessPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultAccessPermission)\r\n $DCOMconvertedPermissionsDefaultAccessPermission = ,$DCOMbinarySDDefaultAccessPermission.BinarySD\r\n\r\n # Apply the changes\r\n write-host \"`tApplying changes...\"\r\n if ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLDefaultLaunchPermission)\r\n {\r\n   write-host \"`t`tCurrent DefaultLaunchPermission matches desired value.\"\r\n }\r\n else\r\n {\r\n   $result = $Reg.SetBinaryValue(2147483650,\"software\\microsoft\\ole\",\"DefaultLaunchPermission\", $DCOMbinarySDDefaultLaunchPermission.binarySD)\r\n   if($result.ReturnValue='0'){write-host \"  Applied DefaultLaunchPermission complete.\"}\r\n }\r\n\r\n if ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLDefaultAccessPermision)\r\n {\r\n   write-host \"`t`tCurrent DefaultAccessPermission matches desired value.\"\r\n }\r\n else\r\n {\r\n   $result = $Reg.SetBinaryValue(2147483650,\"software\\microsoft\\ole\",\"DefaultAccessPermission\", $DCOMbinarySDDefaultAccessPermission.binarySD)\r\n   if($result.ReturnValue='0'){write-host \"  Applied DefaultAccessPermission complete.\"}\r\n\r\n }\r\n}\r\n#----------------------------------------------------------------------------------------------------------\r\n trap \r\n { \r\n $exMessage = $_.Exception.Message\r\n if($exMessage.StartsWith(\"L:\"))\r\n {write-host \"`n\" $exMessage.substring(2) \"`n\" -foregroundcolor white -backgroundcolor darkblue}\r\n else {write-host \"`nError: \" $exMessage \"`n\" -foregroundcolor white -backgroundcolor darkred}\r\n Exit\r\n }\r\n#----------------------------------------------------------------------------------------------------------<\/pre>\n
Download<\/strong><\/p>\n\n\tSet-RemotePermission-DCOM.ps1<\/a>\n\n
 <\/p>\n
 <\/p>\n
Usage<\/strong><\/p>\n
.\\Set-RemoteAccess-DCOM.ps1 -Principal Contoso\\LG-Citrix Admins\" -Computers 'LocalHost'\r\n.\\Set-RemoteAccess-DCOM.ps1 -Principal Contoso\\LG-Citrix Admins\" -Computers 'CTX_DC001'\r\n.\\Set-RemoteAccess-DCOM.ps1 -Principal Contoso\\LG-Citrix Admins\" -Computers ('CTX_DC001', 'CTX_DC002')<\/pre>\n
 <\/p>\n
 <\/p>\n
PS: The script is based on the script found in this technet forum post<\/a>.<\/p>\n
 <\/p>\n
As requested by Neil Spelling<\/a>:<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
If you want to use the Delivery Services Console (the management console of Citrix XenApp 6.x) from a remote machine, you need to enable remote access in DCOM (as described in CTX131829). You can automate this via PowerShell using the script found below.<\/p>","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[152],"tags":[667,424,423,672],"class_list":["post-3478","post","type-post","status-publish","format-standard","hentry","category-powershell","tag-citrix","tag-ctx131829","tag-dcom","tag-powershell"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=3478"}],"version-history":[{"count":5,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3478\/revisions"}],"predecessor-version":[{"id":5893,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3478\/revisions\/5893"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=3478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=3478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=3478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}