{"id":27013482,"url":"https://github.com/eitco/puppet-dcom","last_synced_at":"2025-04-04T12:29:39.535Z","repository":{"id":57667052,"uuid":"401732287","full_name":"eitco/puppet-dcom","owner":"eitco","description":"Puppet Module to manage dcom configuration","archived":false,"fork":false,"pushed_at":"2023-06-19T10:38:58.000Z","size":265,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-18T00:07:53.837Z","etag":null,"topics":["configuration","configuration-management","dcom","puppet","puppet-module"],"latest_commit_sha":null,"homepage":"","language":"Puppet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eitco.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-31T14:24:38.000Z","updated_at":"2024-08-07T05:33:18.000Z","dependencies_parsed_at":"2024-11-16T17:31:04.749Z","dependency_job_id":"77af99f8-9d21-4250-aa6c-8c4bd4e53291","html_url":"https://github.com/eitco/puppet-dcom","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eitco%2Fpuppet-dcom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eitco%2Fpuppet-dcom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eitco%2Fpuppet-dcom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eitco%2Fpuppet-dcom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eitco","download_url":"https://codeload.github.com/eitco/puppet-dcom/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247178825,"owners_count":20896923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configuration","configuration-management","dcom","puppet","puppet-module"],"created_at":"2025-04-04T12:29:38.830Z","updated_at":"2025-04-04T12:29:39.521Z","avatar_url":"https://github.com/eitco.png","language":"Puppet","readme":"# dcom\n\n## Table of Contents\n\n1. [Description](#description)\n1. [Setup](#setup)\n1. [Usage](#usage)\n    * [Identity](#identity)\n    * [Access permissions](#access-permissions)\n    * [Launch and activation permissions](#launch-and-activation-permissions)\n1. [Reference](#reference)\n    * [Parameters](#parameters)\n    * [Classes](#classes)\n    * [Defined resources](#defined-resources)\n    * [Facts](#facts)\n1. [Limitations](#limitations)\n1. [Final thoughts](#final-thoughts)\n\n## Description\n\nThis module manages the user / group assignments in the DCOM configuration for Windows apps.\nChanging those DCOM settings usually means to do it by hand, complex self-written scripts...or by using this module!\n\nIt can help you out with the following things: manage the user identity of the app it should be launched as, manage the user access permissions, manage the local / remote launch \u0026 activation permissions.\n\nIn order to do that the dcom module uses an extended version of a tool called \"DComPerm\" whose soure code can be found in the Windows SDK.\nThe extended version can be found here: https://github.com/albertony/dcompermex\n\n\n## Setup\n\nIn order to use it you need to include the main class first, which will then ensure that the DComPerm.exe will be copied into the TEMP-folder of the system.\n```ruby\ninclude dcom\n```\n\nThen - depending on what you need - just call the defined resources from your module like that:\n```ruby\ndcom::identity{ 'Setting up identities':\n    app_identities =\u003e $app_identities,\n}\n\n# or\n\ndcom::activation_launch_permissions{ 'Setting up activation \u0026 launch permissions':\n    app_activation_launch_permissions =\u003e $app_activation_launch_permissions,\n}\n\n# or\n\ndcom::access_permissions{ 'Setting up access permissions':\n    app_access_permissions =\u003e $app_access_permissions,\n}\n```\n\n\n## Usage\n\nThe configuration depends on hiera.\nTo set up the applications the way you want them, you need to know the App-ID of the application.\nEach program has it´s own App-ID which will be always the same in every installation.\nYou can either find it out by going through the DCOM-config manually (*dcomcnfg.exe*) or with the help of PowerShell.\nHere are some examples. \n```powershell\nGet-WMIObject Win32_DCOMApplicationSetting -Filter 'Caption like \"%Microsoft Word%\"'\n\nGet-WMIObject Win32_DCOMApplicationSetting -Filter 'Description like \"%Microsoft Excel%\"'\n```\n*Get-WMIObject* will then create a WQL query out of it and return the result. The %-sign is a wildcard (like *).\n\nEvery defined resource is expecting the parameter to be of the datatype Hash. The resources are designed to manage one or more applications or users / groups.\nThe keys inside the hash are predefined and mandatory.\n\n:warning: **Major change in version 0.3.0:**\n```\nWhen a Windows machine is created freshly it only contains a DCOM config list of the default pre-installed Windows-Apps. \nIf you install further apps (and you want to manage them) it is required to update the list manually by opening the Component-Snap-In (dcomcnfg) and klicking once at the DCOM config tree.\nOtherwise this module won´t be able to successfully change the settings although it will tell you it did.\nTo overcome this overhead the module will now check wether the app (identified by the AppID) already exists in this list or not and create an entry in case it doesn´t.\nIt will use the name of the key inside of the hash to name the DCOM app in that config list so choose the name wisely!\nI recommend to name the key the way it would have been named by default (e.g. 'Microsoft Word 97 - 2003 Document' instead of 'Word').\n\nIt has no other impact on the functionality but the naming.\nLast but not least it does not affect you at all if the AppID already exist in the DCOM config list.\nThe entry can be found here: HKEY_CLASSES_ROOT\\AppID\\{APPID_of_the_software}\n```\n\n### Identity\n\nThere are three categories of identities in DCOM for regular apps: launching user, interactive user \u0026 custom user.\nIn the following example we configure the Word application to be launched in the context of the user *\"domain_user\"*.\n```ruby\nyour_module::app_identities:\n  'Microsoft Word 97 - 2003 Document':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    identity_type: 'custom user'\n    user: 'CONTOSO\\domain_user'\n    password: 'password'\n```\nThe user \u0026 password keys are only needed for the *\"custom user\"* identity type.\n\nNow let´s add a few more apps with a different identity configuration.\n```ruby\nyour_module::app_identities:\n  'Microsoft Word 97 - 2003 Document':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    identity_type: 'custom user'\n    user: 'CONTOSO\\domain_user'\n    password: 'password'\n  'Outlook Message Attachment':\n    appID: '{00020D09-0000-0000-C000-000000000046}'\n    identity_type: 'custom user'\n    user: 'local_user'\n    password: 'password'\n  'Microsoft Excel Application':\n    appID: '{00020812-0000-0000-C000-000000000046}'\n    identity_type: 'launching user'\n  'Microsoft PowerPoint Slide':\n    appID: '{048EB43E-2059-422F-95E0-557DA96038AF}'\n    identity_type: 'interactive user'\n```\nDone!\n\n### Access permissions\nThe access permissions are configured in a similar way, just with a few more keys. On top of that you can also set the configuration for one or more users. Let´s see an example:\n```ruby\nyour_module::app_access_permissions:\n  'Microsoft Word 97 - 2003 Document':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users: \n      - 'CONTOSO\\user1'\n    acl: 'permit'\n    level: 'l,r'\n  'Microsoft Excel Application':\n    appID: '{00020812-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users: \n      - 'CONTOSO\\user1'\n      - 'CONTOSO\\user2'\n    acl: 'deny'\n    level: 'r'\n  'Microsoft PowerPoint Slide':\n    appID: '{048EB43E-2059-422F-95E0-557DA96038AF}'\n    ensure: 'present'\n    users:\n      - 'CONTOSO\\user2'\n      - 'local_user3'\n    acl: 'permit'\n    level: 'l'\n```\n\nWhat if it is not a user but a local group that you want to add? Or maybe even a domain group?\n```ruby\nyour_module::app_access_permissions:\n  'Microsoft Word 97 - 2003 Document':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users: \n      - 'Administrators' # local group\n      - 'CONTOSO\\Admin-Group' # domain group\n    acl: 'permit'\n    level: 'l,r'\n```\n\n### Launch and activation permissions\nThe launch \u0026 activation permissions are configured the same way as the access permissions. \n```ruby\nyour_module::app_activation_launch_permissions:\n  'Microsoft Word 97 - 2003 Document':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users:\n      - 'CONTOSO\\user1'\n    acl: 'permit'\n    level: 'la'\n  'Microsoft Excel Application':\n    appID: '{00020812-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users:\n      - 'CONTOSO\\user2'\n      - 'local_user3'\n    acl: 'deny'\n    level: 'l,r'\n  'Microsoft PowerPoint Slide':\n    appID: '{048EB43E-2059-422F-95E0-557DA96038AF}'\n    ensure: 'present'\n    users:\n      - 'local_user3'\n    acl: 'permit'\n    level: 'ra'\n```\n\nNow let´s assume you want to have two users configured for the same app but with different permissions.\nUnfortunately I haven´t found a better way yet...but here is a workaround how it could be done (but be aware of it´s [impact](#usage)):\n```ruby\nyour_module::app_activation_launch_permissions:\n  'Microsoft Word 97 - 2003 Document - user1':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users:\n      - 'CONTOSO\\user1'\n    acl: 'permit'\n    level: 'la'\n  'Microsoft Word 97 - 2003 Document - user2':\n    appID: '{00020906-0000-0000-C000-000000000046}'\n    ensure: 'present'\n    users:\n      - 'CONTOSO\\user2'\n    acl: 'permit'\n    level: 'l,r'\n```\n\nIf an application is configured with\n```ruby\nensure: 'absent'\n```\nthen all the users configured in the *users* key will be removed from the DCOM configuration for that application!\n\n## Reference\n\n### Parameters\n```ruby\nHash app_identities:\n        'key':    \n            Pattern['^{[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*}$'] appID\n            String[Enum['custom user','interactive user','launching user']] identity_type\n            Optional[String] user\n            Optional[String] password\n\nHash app_access_permissions:\n        'key':    \n            Pattern['^{[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*}$'] appID\n            String[Enum['present','absent']] ensure\n            Array[String] users\n            String[Enum['permit','deny']] acl\n            String[Enum['l','r','l,r']] level\n\nHash app_activation_launch_permissions:\n        'key':    \n            Pattern['^{[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*-[A-Z0-9].*}$'] appID\n            String[Enum['present','absent']] ensure\n            Array[String] users\n            String[Enum['permit','deny']] acl\n            String[Enum['l','r','l,r','la','ll','ra','rr']] level\n\nDefault: undef\n```\n\n### Classes\n```ruby\n# main class\nClass['dcom']\n\n# ensures that the DComPerm.exe is present within the TEMP-path\nClass['dcom::prerequisites']\n```\n\n### Defined resources\n```ruby\n# manages the launch identity of an app\ndcom::identity\n\n# manages the access permissions for an app\ndcom::access_permissions\n\n# manages the activation and launch permissions for an app\ndcom::activation_launch_permissions\n```\n\n## Limitations\n\n* Predefined (default) user / groups can´t be changed\n* a user / group can be added through this module, the removal however won´t happen automatically when removing them from the nested hash\n    * workaround #1: create new hash element with the user / group marked as 'ensure: absent'\n    * workaround #2: remove the user / group from DCOM-config by hand\n* This module is limited by the features that the DComPerm-tool offers\n* DComPerm requires at least Vista / Server 2008\n\n## Final thoughts\n\nAlthough the feature set is mostly complete (based on what can be done with DComPerm) there might be still some room for improvement.\nIf you have some feedback or something isn´t working correctly - feel free to create an issue in the GitHub-repository.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feitco%2Fpuppet-dcom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feitco%2Fpuppet-dcom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feitco%2Fpuppet-dcom/lists"}