Win32_SecuritySetting

The Win32_SecuritySetting abstract WMI class represents security settings for a managed element.

The Win32_SecuritySetting abstract WMI class represents security settings for a managed element.

Methods

Win32_SecuritySetting has 2 methods:
Method Description
GetSecurityDescriptor Class method that retrieves a structural representation of the object security descriptor.
SetSecurityDescriptor Class method that sets a security descriptor (SD) to a specified structure.

Learn more about Invoke-CimMethod and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.

Properties

Win32_SecuritySetting returns 4 properties:

'Caption','ControlFlags','Description','SettingID'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName Win32_SecuritySetting -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class Win32_SecuritySetting exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

Caption

STRING MAX 64 CHAR

Short textual description of the CIM_Setting object.

Get-CimInstance -ClassName Win32_SecuritySetting | Select-Object -Property Caption

ControlFlags

UINT32

Control bits that qualify the meaning of an SD or its individual members. For more information about how to set the ControlFlags value, see the Remarks section. The following list lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.

Indicates an SD with a default owner security identifier (SID). You can use this bit to find all of the objects that have default owner permissions set.

Indicates an SD with a default group SID. You can use this bit to find all of the objects that have default group permissions set.

Indicates an SD that has a discretionary access control list (DACL). If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.

Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

Indicates an SD that has a system access control list (SACL).

Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, it propagates the DACL to any existing child objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.

Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, it propagates the SACL to any existing child objects, and sets the SE_SACL_AUTO_INHERITED bit in the SDs of the object and its child objects.

Windows 2000 only. Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

Windows 2000: Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

Windows 2000: Prevents the DACL of the SD from being modified by inheritable ACEs.

Windows 2000: Prevents the SACL of the SD from being modified by inheritable ACEs.

Indicates an SD in self-relative format with all of the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

Get-CimInstance -ClassName Win32_SecuritySetting | Select-Object -Property ControlFlags

Description

STRING

Textual description of the CIM_Setting object.

Get-CimInstance -ClassName Win32_SecuritySetting | Select-Object -Property Description

SettingID

STRING MAX 256 CHAR

Identifier by which the CIM_Setting object is known.

Get-CimInstance -ClassName Win32_SecuritySetting | Select-Object -Property SettingID

Examples

List all instances of Win32_SecuritySetting
Get-CimInstance -ClassName Win32_SecuritySetting

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName Win32_SecuritySetting -Property *
View key properties only
Get-CimInstance -ClassName Win32_SecuritySetting -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'Caption',
              'ControlFlags',
              'Description',
              'SettingID'
Get-CimInstance -ClassName Win32_SecuritySetting | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class Win32_SecuritySetting -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_SecuritySetting -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT SettingID, Caption, ControlFlags, Description FROM Win32_SecuritySetting WHERE Caption LIKE 'a%'"

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT SettingID, Caption, ControlFlags, Description FROM Win32_SecuritySetting WHERE Caption LIKE 'a%'" | Select-Object -Property SettingID, Caption, ControlFlags, Description

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_SecuritySetting -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance Win32_SecuritySetting -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use Win32_SecuritySetting, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

Win32_SecuritySetting was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

Win32_SecuritySetting lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

Win32_SecuritySetting is implemented in CIMWin32.dll and defined in Secrcw32.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Secrcw32.mof