SetSD method of the __SystemSecurity class
The SetSD method sets the security descriptor for the namespace to which a user is connected. This method requires a security descriptor in binary byte array format. If you are writing a script, use the SetSecurityDescriptor method. For more information, see Securing WMI Namespaces and Changing Access Security on Securable Objects.
If you are programming in C++, you can manipulate the binary security descriptor using SDDL, and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.
A user must have the WRITE_DAC permission, and by default, an administrator has that permission. The only part of the security descriptor that is used is the noninherited access control entry (ACE) in the discretionary access control list (DACL). By setting the CONTAINER_INHERIT flag in the ACEs, the security descriptor affects child namespaces. Both allow and deny ACEs are permitted.
Note Because deny and allow ACEs are both permitted in a DACL, the order of ACEs is important. For more information, see Ordering of ACEs in a DACL.
Windows Me/98/95: Use the Set9XUserList and Get9XUserList methods to control access to namespaces.
Syntax
HRESULT SetSD( [in] uint8 SD[] );
Parameters
- SD [in]
-
Byte array that makes up the security descriptor.
Return value
Returns an HRESULT that indicates the status of a method call. For scripting and Visual Basic applications, the result can be obtained from OutParameters.ReturnValue. For more information, see Constructing InParameters Objects and Parsing OutParameters Objects.
Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, and Windows Me/98/95: WMI does not use security descriptor definition strings (SDDL). You also cannot use a Win32_SecurityDescriptor object or any of its component classes, such as Win32_ACE, to change the security descriptor.
The following table lists the return values that are significant to SetSD.
| Return code | Description |
|---|---|
|
Method executed successfully. |
|
Caller does not have sufficient rights to call this method. |
|
Attempted to run this method on Windows XP, Windows 2000, or Windows NT. |
|
SD does not pass basic validity tests. |
|
SD is not valid due to one of the following:
For more information about the access control entry (ACE) flags, see WMI Security Constants. |
Remarks
For more information about modifying namespace security programmatically or manually, see Securing WMI Namespaces.
Examples
For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.
For C++ code examples, see WMI C++ Application Examples.
The following script shows how to use SetSD to set the namespace security descriptor for the root namespace and change it to the byte array shown in strSD.
' Hard-coded security descriptor strSD = array( 1, 0, 4,129,72, 0, 0, 0, _ 88, 0, 0, 0, 0, 0, 0, 0, _ 20, 0, 0, 0, 2, 0,52, 0, _ 2, 0, 0, 0, 0, 2,24, 0, _ 63, 0, 6, 0, 1, 2, 0, 0, _ 0, 0, 0, 5,32, 0, 0, 0, _ 32, 2, 0, 0, 0, 2,20, 0, _ 63, 0, 6, 0, 1, 1, 0, 0, _ 0, 0, 0, 1, 0, 0, 0, 0, _ 1, 2, 0, 0, 0, 0, 0, 5, _ 32, 0, 0, 0,32, 2, 0, 0, _ 1, 2, 0, 0, 0, 0, 0, 5, _ 32, 0, 0, 0,32, 2, 0, 0) ' Connect to WMI and the root namespace. Set oSvc = CreateObject( _ "WbemScripting.SWbemLocator"). _ ConnectServer(,"Root\Cimv2") ' Get the single __SystemSecurity object in this namespace. Set oSecurity = oSvc.Get("__SystemSecurity=@") ' Change the namespace security. nReturn = oSecurity.SetSD(strSD) WScript.Echo "ReturnValue " & nReturn
Requirements
|
Minimum supported client | Windows 2000 Professional [desktop apps only] |
|---|---|
|
Minimum supported server | Windows 2000 Server [desktop apps only] |
See also
- WMI System Classes
- __SystemSecurity
- __SystemSecurity::GetSD
- WMI Security Constants
- Win32_ACE
- Win32_SecurityDescriptor
- Securing WMI Namespaces
Send comments about this topic to Microsoft
Build date: 11/19/2012
