$namespace = "root\cimv2"
$account = "
if ($account.Contains('\')) {
$domainaccount = $account.Split('\')
$domain = $domainaccount[0]
$accountname = $domainaccount[1]
}
# Get Domain Account SID
$getparams = @{Class="Win32_Account";Filter="Domain='$domain' and Name='$accountname'"}
$win32account = Get-WmiObject @getparams
if ($null -eq $win32account) { throw "Account was not found: $account" }
# Set WMI Permission
# Need the permission of enable account, execute method, remote access. The value of all these permission is 1, 2, 0x20.
# https://learn.microsoft.com/en-us/windows/win32/api/wbemcli/ne-wbemcli-wbem_security_flags
$WBEM_ENABLE = 1
$WBEM_METHOD_EXECUTE = 2
$WBEM_REMOTE_ACCESS = 0x20
$accessMask = 0 $accessMask = $WBEM_ENABLE + $WBEM_METHOD_EXECUTE + $WBEM_REMOTE_ACCESS
$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"}
$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor if ($output.ReturnValue -ne 0) { throw "GetSecurityDescriptor failed: $(output.ReturnValue)" return }
$acl = $output.Descriptor
$ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance() $ace.AccessMask = $accessMask $ace.AceFlags = 0
$trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance() $trustee.SidString = $win32account.Sid $ace.Trustee = $trustee
$ACCESS_ALLOWED_ACE_TYPE = 0x0
$ace.AceType = $ACCESS_ALLOWED_ACE_TYPE $ace.DACL += $ace.psobject.immediateBaseObject
$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams
$output = Invoke-WmiMethod @setparams if ($out.ReturnValue -ne 0) { throw "SetSecurityDescriptor failed: $(output.ReturnValue)" return }