First Person Impersonate
Welcome to a new column on scripting!
Welcome to my new column! In each installment, I'll introduce you to
a useful new Windows administration script, scripting technique or concept,
or script snippet which you can plug into your own scripts for a faster,
more efficient scripting experience. And as always, I also invite you
to stop by my Web site, www.ScriptingAnswers.com
for more free scripts, discussion forums and more.
This time out, I'd like to briefly discuss Windows Management Instrumentation
(WMI) and security. You've doubtless seen WMI scripts that start off something
Set objWMIService = GetObject("winmgmts:" _
& strComputer & _
Set colItems = objWMIService.ExecQuery("Select * from
" & _
This code uses the winmgmts moniker to connect to WMI on the computer
specified in the variable strComputer; it connects to the computer's \root\cimv2
WMI namespace (which is where all the core Windows WMI classes hang out),
and then query the instances of the Win32_OperatingSystem class. Straightforward
and common, this is probably the most-used way of connecting to WMI.
But it is lacking in one way: While you can specify an impersonation
level (WMI works best with the impersonate level used in the snippet above),
you can't specify alternate credentials. That is to say, this script will
take your current user account and pass it to the remote machine's WMI
service, and that service will impersonate your credentials to execute
the query. What if, however, the account used to run the script doesn't
have permissions on the remote machine to execute the WMI query? Well,
then, your script will fail.
There is another way. Check this out:
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService = objLocator.ConnectServer(strComputer, _
"root\cimv2", strUser, strPassword)
Set colItems = objService.ExecQuery("Select * from " & _
This approach performs the same function as the first snippetquerying
all instances of Win32_OperatingSystem from the computer specified in
strComputerbut it allows you to specify alternate credentials by
plugging a username into strUser and a password into strPassword. Note
that this technique only works for remote scripting; you can't specify
alternate credentials when connecting to the local computer's WMI service,
and if you try, you'll get an error.
For more scripting help, check
out Don's work at http://www.scriptinganswers.com.
Plus, don't forget "Mr.
Script" columnist Chris Brooke over at http://redmondmag.com/columns/mcsescripting/.
And, let us know how you like Don's new column by
e-mailing us at [email protected]
with "Scripting Answers column" on the subject
line of your message and I'll send 3 lucky winners from
all respondents a nifty MCPmag.com baseball cap. Contest
ends December 16; winners will be announced in December
Also notice that I didn't specify the impersonation level. These days,
you don't generally have to; earlier versions of WMI defaulted to the
identify level of impersonation, which isn't really impersonation at all
and wouldn't allow the WMI query to execute. The current version of WMI,
however, defaults to impersonate, so you're okay.
Use this technique to write more flexible WMI scripts. Be sure, however,
to always prompt for the alternate user account password! Never ever ever
hard-code the password into the script, because it'll be too easy for
someone else to get the password simply by reading the script file.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.