Setting WMI ACLs via SetSecurityDescriptor
In the article you refer to the call is different and those differences could well be important - the params are a single hashtable built up to include all the params as name/value pairs:
$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"}$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams$output = Invoke-WmiMethod @setparams
I got this to work by changing the this line
# AceFlags are $OBJECT_INHERIT_ACE_FLAG, $CONTAINER_INHERIT_ACE_FLAG$ace.AceFlags = 0x01 + 0x2
to
# AceFlags are $CONTAINER_INHERIT_ACE_FLAG$ace.AceFlags = 0x2
I wish I could tell you why this change is necessary, but I don't really know. I also changed the invokeparams to equal @{Path="__systemsecurity=@"; Namespace="root"} so that the script sets the permissions at the root level instead of the cimv2 level. The permission seems to be inherited as expected.