Script Tips

First Person Impersonate

Welcome to a new column on scripting!

Welcome to my new column! In each installment, I'll introduce you to a useful new Windows administration script, scripting technique or concept, or script snippet which you can plug into your own scripts for a faster, more efficient scripting experience. And as always, I also invite you to stop by my Web site, www.ScriptingAnswers.com, for more free scripts, discussion forums and more.

This time out, I'd like to briefly discuss Windows Management Instrumentation (WMI) and security. You've doubtless seen WMI scripts that start off something like this:

Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & _
   "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from " & _
   "Win32_OperatingSystem")

This code uses the winmgmts moniker to connect to WMI on the computer specified in the variable strComputer; it connects to the computer's \root\cimv2 WMI namespace (which is where all the core Windows WMI classes hang out), and then query the instances of the Win32_OperatingSystem class. Straightforward and common, this is probably the most-used way of connecting to WMI.

But it is lacking in one way: While you can specify an impersonation level (WMI works best with the impersonate level used in the snippet above), you can't specify alternate credentials. That is to say, this script will take your current user account and pass it to the remote machine's WMI service, and that service will impersonate your credentials to execute the query. What if, however, the account used to run the script doesn't have permissions on the remote machine to execute the WMI query? Well, then, your script will fail.

There is another way. Check this out:

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService = objLocator.ConnectServer(strComputer, _
   "root\cimv2", strUser, strPassword)
Set colItems = objService.ExecQuery("Select * from " & _
   "Win32_OperatingSystem")

This approach performs the same function as the first snippet—querying all instances of Win32_OperatingSystem from the computer specified in strComputer—but it allows you to specify alternate credentials by plugging a username into strUser and a password into strPassword. Note that this technique only works for remote scripting; you can't specify alternate credentials when connecting to the local computer's WMI service, and if you try, you'll get an error.

Want More Scripting?

For more scripting help, check out Don's work at http://www.scriptinganswers.com. Plus, don't forget "Mr. Script" columnist Chris Brooke over at http://redmondmag.com/columns/mcsescripting/.

And, let us know how you like Don's new column by e-mailing us at [email protected] with "Scripting Answers column" on the subject line of your message and I'll send 3 lucky winners from all respondents a nifty MCPmag.com baseball cap. Contest ends December 16; winners will be announced in December 20th column.

Also notice that I didn't specify the impersonation level. These days, you don't generally have to; earlier versions of WMI defaulted to the identify level of impersonation, which isn't really impersonation at all and wouldn't allow the WMI query to execute. The current version of WMI, however, defaults to impersonate, so you're okay.

Use this technique to write more flexible WMI scripts. Be sure, however, to always prompt for the alternate user account password! Never ever ever hard-code the password into the script, because it'll be too easy for someone else to get the password simply by reading the script file.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular