Edit

GetSD method of the __SystemSecurity class

  • Article

The GetSD method gets the security descriptor for the namespace to which the user is connected. This method returns a security descriptor in binary byte array format. If you are writing a script, use the GetSecurityDescriptor method. For more information, see Securing WMI Namespaces and Changing Access Security on Securable Objects.

The user must have the READ_CONTROL permission. By default, administrators have that permission. The only part of the security descriptor that is actually used is the discretionary access control list (DACL). The DACL can contain both inherited and non-inherited ACEs. Both deny and allow ACEs are permitted.

If you are programming in C++, you can manipulate the binary security descriptor using SDDL, and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

Syntax

HRESULT GetSD(
  [out] uint8 SD[]
);

Parameters

SD [out]

Security descriptor in binary byte array format.

Return value

This method returns an HRESULT indicating the status of the method call. The following list lists the return values that are of significance to GetSD. For scripting and Visual Basic applications, the result can be obtained from OutParameters.ReturnValue. For more information, see Constructing InParameters Objects and Parsing OutParameters Objects.

S_OK

Method executed successfully.

WBEM_E_ACCESS_DENIED

Caller does not have sufficient rights to call this method.

WBEM_E_METHOD_DISABLED

Attempted to run this method on an unsupported system.

Remarks

For more information about modifying namespace security programmatically or manually, see Securing WMI Namespaces.

Examples

The following script shows you how to use GetSD to obtain the current security descriptor for the Root\Cimv2 namespace and change it to the byte array shown in DisplaySD.

Set objServices = GetObject("winmgmts:root\cimv2")
Set CimV2 = objServices.Get("__SystemSecurity=@")
ReturnValue = Cimv2.GetSD(arrSD)

If Err <> 0 Then
   WScript.Echo "Method returned error " & ReturnValue
End If

DisplaySD = "SD = {"
For I = Lbound(arrSD) To Ubound(arrSD)

   DisplaySD = DisplaySD & arrSD(I)

   If I <> Ubound(arrSD) Then
      DisplaySD = DisplaySD & ","
   End If

Next

DisplaySD = DisplaySD & "}"

WScript.Echo DisplaySD

Requirements

Requirement Value
Minimum supported client
 Windows Vista
Minimum supported server
 Windows Server 2008
Namespace
 All WMI namespaces

See also

WMI System Classes

__SystemSecurity

WMI Security Constants

Win32_ACE

__SystemSecurity::SetSD

Security_Descriptor

Win32_SecurityDescriptor

Securing WMI Namespaces