Setting Namespace Security Descriptors
Both C++ applications and scripts running under a full administrator account can change a namespace security descriptor.
Namespace Security Descriptors
Each WMI namespace has a security descriptor, which allows each namespace to have unique security settings that determine who has access to the namespace data and methods. For more information about WMI access security, see Access to WMI Securable Objects. Access to WMI Namespaces describes the default security settings for WMI namespaces and security auditing in WMI.
You can set account permissions for each WMI namespace in the WMI (CIM) repository in the following ways:
- When the namespace is created in the MOF file. For more information, see Setting Namespace Security When the Namespace is Created.
- Manually, using the WMI Control. For more information, see Setting Namespace Security with the WMI Control.
- Programmatically, by calling the methods of the __SystemSecurity class.
The following methods of the __SystemSecurity object associated with each namespace allow you to read or change security on a namespace.
-
Sets the rights parameter as a bitmap with each bit corresponding to an access right.
-
Gets the security descriptor for the namespace to which the user is connected. This method returns a security descriptor in binary byte array format. If you are writing a script, use the GetSecurityDescriptor method.
-
Sets the security descriptor (SD) for the namespace to which a user is connected. This method requires a security descriptor in binary byte array format. If you are writing a script, use the SetSecurityDescriptor method.
-
Gets the security descriptor that controls access to the WMI namespace associated with the instance of __SystemSecurity. The security descriptor is returned as an instance of__SecurityDescriptor.
-
Writes an updated version of the security descriptor that controls access to the printer. The security descriptor is represented by an instance of __SecurityDescriptor.
-
Gets the remote access rights for a list of individual users on computers running obsolete versions of Windows, where access control through Windows security descriptors is not available.
-
Sets the remote access rights for a list of individual users on computers running obsolete versions of Windows, where access control through Windows security descriptors is not available.
If you are writing scripts, use the GetSecurityDescriptor and SetSecurityDescriptor. You can use the methods of the Win32_SecurityDescriptorHelper class to alter the security descriptors.
If you are programming in C++, you can manipulate the binary security descriptor using Security Descriptor Definition Language (SDDL), and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.
Be aware that, starting with Windows Vista, User Account Control (UAC) affects access to WMI data and what can be configured with the WMI Control. For more information, see User Account Control and WMI.
Related topics