Change DCOM config security settings using Powershell
Looks like you would do it using WMI.
Get an instance of: Win32_DCOMApplicationSetting like this:
$dcom = Get-WMIObject -Class Win32_DCOMApplicationSetting -Filter 'Description="Something"'Now you have access to the SetAccessSecurityDescriptor and SetLaunchSecurityDescriptor methods.
From: http://msdn.microsoft.com/en-us/library/windows/desktop/aa384905(v=vs.85).aspx
DCOM applications
DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.
To get or change the configuration permissions, call the GetConfigurationSecurityDescriptor or SetConfigurationSecurityDescriptor methods.
To get or change the access permissions, call the GetAccessSecurityDescriptor or SetAccessSecurityDescriptor methods.
To get or change the startup and activation permissions, call the GetLaunchSecurityDescriptor or SetLaunchSecurityDescriptor methods.
Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and Windows Me/98/95: The Win32_DCOMApplicationSetting security descriptor methods are not available.
There's also a tool called DCOMPERM in which source code is available in the Windows SDK: http://www.microsoft.com/en-us/download/details.aspx?id=8279
You can find compiled versions around online if you search for DCOMPERM compiled.
Here are the command line options:
Syntax: dcomperm <option> [...] Options:Modify or list the machine access permission list -ma <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] -ma listModify or list the machine launch permission list -ml <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] -ml listModify or list the default access permission list -da <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] -da listModify or list the default launch permission list -dl <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] -dl listModify or list the access permission list for a specific AppID -aa <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r"] -aa <AppID> default -aa <AppID> listModify or list the launch permission list for a specific AppID -al <AppID> <"set" or "remove"> <Principal Name> ["permit" or "deny"] ["level:l,r,ll,la,rl,ra"] -al <AppID> default -al <AppID> listlevel: ll - local launch (only applies to {ml, dl, al} options) rl - remote launch (only applies to {ml, dl, al} options) la - local activate (only applies to {ml, dl, al} options) ra - remote activate (only applies to {ml, dl, al} options) l - local (local access - means launch and activate when used with {ml, dl, al} options) r - remote (remote access - means launch and activate when used with {ml, dl, al} options)
I had the same question as the OP. The answer Andy posted was very helpful and got me halfway. I then found the Set-DCOMLaunchPermissions written by someone to help them deploy SharePoint.
I adapted their function for my purposes and came up with a solution that sets the permissions I need.
$user = "sql2012agent"$domain = "MYDOMAIN"$appdesc = "Microsoft SQL Server Integration Services 11.0"$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE Description = "' + $appdesc + '"') -enableallprivileges#$appid = "{83B33982-693D-4824-B42E-7196AE61BB05}"#$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE AppId = "' + $appid + '"') -enableallprivileges$sdRes = $app.GetLaunchSecurityDescriptor()$sd = $sdRes.Descriptor$trustee = ([wmiclass] 'Win32_Trustee').CreateInstance()$trustee.Domain = $domain$trustee.Name = $user$fullControl = 31$localLaunchActivate = 11$ace = ([wmiclass] 'Win32_ACE').CreateInstance()$ace.AccessMask = $localLaunchActivate$ace.AceFlags = 0$ace.AceType = 0$ace.Trustee = $trustee[System.Management.ManagementBaseObject[]] $newDACL = $sd.DACL + @($ace)$sd.DACL = $newDACL$app.SetLaunchSecurityDescriptor($sd)