Automating DCOM ACL with PowerShell

Sometimes you need to set explicit permissions on DCOM objects. You can do this using dcomcnfg.exe. With dcomcnfg.exe you can set permissions on all DCOM objects on a computer. However, this is doing it manually. 🙂 If you ever need to automate this step, you can do it using PowerShell, and here is how. Please note you have to run PowerShell as Administrator.


Automating DCOM ACL with PowerShell

There are 5 steps to configure DCOM ACL.

1.) Get WMI object

2.) Get Descriptor

3.) Create Trustee and assign it rights

4.) Add Trustee to Descriptor

5.) Set WMI object

In step one, we get WMI object for DCOM application we want to set permissions. In below example, we get settings for Messaging application

$wmi = Get-WmiObject -Class Win32_DCOMApplicationSetting -Filter ‘caption=”Messages”‘ -EnableAllPrivileges

In step two we get current security descriptor for this object, so we can add permissions to existing set. We can get and set permissions for all 3 types

$descL = $wmi.GetLaunchSecurityDescriptor().descriptor
$descA = $wmi.GetAccessSecurityDescriptor().descriptor
$descC = $wmi.GetConfigurationSecurityDescriptor().descriptor

Image from GUI:


In step three we create our own trustee object, which we will use to assign rights to. It consists of Domain, username and permissions we would like to assign to it. In this example we will set all permissions to allow to user object Interactive.

$trusteeObj = ([wmiclass]’Win32_Trustee’).psbase.CreateInstance()
$trusteeObj.Domain = “NT authority”
$trusteeObj.Name = “Interactive”

$ace = ([wmiclass]’Win32_ACE’).psbase.CreateInstance()
$ace.AccessMask = 31
$ace.trustee = $trusteeObj

If you need to set different permissions then in example above, you can get AccesssMask values by manually setting permissions in GUI as you need them and then read them using PowerShell. In step two we got current descriptor, from which we can read current permissions.

First we need to get DACL list:


in this object you have current Trustee and it’s AccessMask.

From here on it is very simple…

In step four we add our object we created in step 3 to descriptor

$descL.DACL += [System.Management.ManagementBaseObject]$ace
$descA.DACL += [System.Management.ManagementBaseObject]$ace
$descC.DACL += [System.Management.ManagementBaseObject]$ace

And in step five we write is back using WMI.


We can see the changes we made using dcomcnfg.exe or PowerShell


Again, do not forget to run PowerShell as Administrator! 😉

Code is available for download on TechNet:

Hope this helps you.


Delete Disabled Profiles from Computers

Your users are connecting to terminal server, so they can use an application, and everything works just fine, until one day, a user can’t connect. You swing into action and find out, that the problem lies on your hard drive, or better yet, lack of it. You ran out of disk space on your terminal server. You check what is taking up most of the disk space, and you see there are dozens and dozens of user profile folders. now, you could go, and delete just the folders, but that results in users getting temp profiles. The other option is, to go to advanced settings of your system, and delete profiles from there, But how do you know which ones to delete?


You could delete just the biggest ones, but the User Profiles dialog does not allow you to make any kind of sorting. The other thing you could do, this being a terminal server, is delete all profiles, but one by one? Who wants to do this. You guessed it, a script.

I wrote a script that  does just that. It is available on Technet Gallery,

To be able to run it, you must have administrator privileges on target computer and installed Active Directory module on computer running it.

It only works on Windows Vista/Server 2008 and above, as before that, the WMI class I use, did not exist.

Enjoy it, and save your disk space. 🙂