<#
.SYNOPSIS
This routine is to create a Custom Namespace called 'CustomCMClasses'.  The intent is to then permission that location to allow for
"Domain Users" of the identified domain to have rights to add or modify Instances in that namespace.  This is intended for some specific,
per-user inventory needs which are occasionally asked of "System Center Configuration Manager" (or CM) Administrators.
This routine technically only needs to run once, per system; however running more frequently would not hurt anything--it may re-add
permissions which were already set, but it wouldn't hurt.

.DESCRIPTION
- Ensure you modify the $Account parameter to be YOUR domain
- This script will most likely be part of a traditional "Package/Program", where this would be a program--which is listed as "run another program first"
   and this would run using SYSTEM rights, whether or not a user is logged in.  It would only need to run once per system.

.NOTES

2016-03-23 Original from https://stackoverflow.com/questions/36132700/set-wmi-permissions-for-domain-users "DarkLite1"
2018-04-17 Sherry Kissinger Modifications with the assistance of John Marcum
2023-6-01 Had to change it because the SID lookup wasn't working.  Just manually found the SIDs... and added them individually, instead of having it try to "look them up"

$VerbosePreference options are
  'Continue' (show the messages)
  'SilentlyContinue' (do not show the message, this is the default if not set at all)
  'Stop' Show the message and halt (use for debugging)
  'Inquire' Prompt the user if ok to continue

If testing on a TEST computer and you want to confirm the script is working, to Delete the custom namespace for more testing, run this:
Get-WmiObject -query "Select * From __Namespace Where Name='CustomCMClasses'" -Namespace "root"  | Remove-WmiObject
#>

 

Param (
    $ErrorActionPreference = "SilentlyContinue",
    [String]$Namespace = 'CustomCMClasses',
    [String]$WMIClass = 'Browser_Extensions',
    [String]$Computer  = $env:COMPUTERNAME,
    $VerbosePreference = 'SilentlyContinue'
)
 

Function New-WMINamespaceHC{
    if (Get-WmiObject -Namespace 'root' -Class '__NAMESPACE' | Where-Object {$_.Name -eq $Namespace}) {
        Write-Verbose "WMI Namespace 'root\$Namespace' exists"
    }
    else {
        Write-Verbose "Create WMI namespace 'root\$Namespace'"
        $Ns = [WMICLASS]'root:__Namespace'
        $NewNamespace = $Ns.createInstance()
        $NewNamespace.Name = $Namespace
        $NewNamespace.Put() | Out-Null
    }
}


# Function to create the Browser_Extensions Class
Function CreateClass{
    $NewClass = New-Object System.Management.ManagementClass("root\$Namespace", [string]::Empty, $null)
    $NewClass.name = $WMIClass
    $NewClass.Qualifiers.Add("Static", $true)
    $NewClass.Properties.Add("OSUser", [System.Management.CimType]::string, $false)
    $NewClass.Qualifiers.Add("Description","Browser_Extensions stores information on extensions add in Edge, Firefox, or Chrome.")
    $NewClass.Properties.Add("Browser", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ProfileDir", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ProfileName", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ProfileGaiaName", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ProfileUserName", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionID", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionName", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionVersion", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionFromWebStore", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionState", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionInstallTime", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ExtensionInstalledByDefault", [System.Management.CimType]::String, $false)
    $NewClass.Properties.Add("ScriptLastRan",[System.Management.CimType]::DateTime, $false)
    $NewClass.Properties["ExtensionID"].Qualifiers.Add("Key", $true)
    $NewClass.Properties["OSUser"].Qualifiers.Add("Key", $true)
    $NewClass.Put() | Out-Null
}

Function Set-WMIPermissionsHC {
    $SDDL = "A;CI;CCSWWP;;;$SID"
    $DCOMSDDL = "A;;CCDCRP;;;$SID"
    $Reg = [WMICLASS]"\\$Computer\root\default:StdRegProv"
    $DCOM = $Reg.GetBinaryValue(2147483650,'software\microsoft\ole','MachineLaunchRestriction').uValue
    $Security = Get-WmiObject -ComputerName $Computer -Namespace "root\$Namespace" -Class __SystemSecurity
    $Converter = New-Object System.Management.ManagementClass Win32_SecurityDescriptorHelper
    $BinarySD = @($null)
    $Result = $Security.PsBase.InvokeMethod('GetSD', $BinarySD)
    $OutSDDL = $Converter.BinarySDToSDDL($BinarySD[0])
    $OutDCOMSDDL = $Converter.BinarySDToSDDL($DCOM)
    $NewSDDL = $OutSDDL.SDDL += '(' + $SDDL + ')'
    $NewDCOMSDDL = $OutDCOMSDDL.SDDL += '(' + $DCOMSDDL + ')'
    $WMIbinarySD = $Converter.SDDLToBinarySD($NewSDDL)
    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
    $DCOMbinarySD = $Converter.SDDLToBinarySD($NewDCOMSDDL)
    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
    $Result = $Security.PsBase.InvokeMethod('SetSD', $WMIconvertedPermissions)
    $Result = $Reg.SetBinaryValue(2147483650,'software\microsoft\ole','MachineLaunchRestriction', $DCOMbinarySD.binarySD)
    Write-Verbose "WMI Permissions set for Namespace '$Namespace' for SID '$SID' which is '$Account' on '$Computer'"
}

 if (Get-WmiObject -List -Namespace "root\$Namespace" | Where-Object {$_.Name -eq $Class}) {
    Write-Verbose "WMI Class '$Class' exists"
    write-host 'Already Done'
}
Else
{

New-WMINamespaceHC
CreateClass


# Everyone
$SID = 'S-1-1-0'
$Account = 'Everyone'
Set-WMIPermissionsHC -SID $SID

#Authenticated Users
$SID = 'S-1-5-11'
$Account = 'Authenticated users'
Set-WMIPermissionsHC -SID $SID

<# OPTIONAL 

# YOUR DOMAIN\Domain Users
#REPLACE THIS $SID with YOUR SID for YOUR Domain Users

$SID = 'S-1-5-21-1111111111-111111111-111111111-513'
$Account = 'YOURDOMAIN\Domain Users'
Set-WMIPermissionsHC -SID $SID
#>

write-host 'Done'
}