zenoss-lpu.ps1 - allow_access_to_winrm - $defaultkey value is incorrect for 2012R2.

[kniv]

In zenoss-lpu.ps1 there is a function named allow_access_to_winrm

The $defaultkey value used in the allow_access_to_winrm function is valid for 2008R2, but the default SDDL changed in 2012R2.

You can run "winrm get winrm/config" to see the defaults on each version of Windows (spaces added by me):

2012R2 - O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
2008R2 - O:NSG:BAD:P(A;;GA;;;BA)            S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

Instead of hard coding a default, I suggest parsing the output of running "winrm get winrm/config" to see what the current RootSDDL being used is. That would address the case where the "SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service" registry key does not exist and default values are being used.

=-=-=

With that said, I don't think the script should even be setting this registry key on 2008R2 or later.

According to the below link[1], starting with Windows 2008R2 "The value stored at winrm\Config\Service\RootSDDL is only used for security access checks if the requested resource URI does not specify its own specific SDDL as a part of the plug-in configuration.".

I see that both the "WMI Provider" and "Microsoft.PowerShell" Plugins specify their own SDDL (at least under 2008R2 and 2012R2). I assume that these are the two that are used by zenoss.

[1] https://technet.microsoft.com/en-us/library/ee922649(v=ws.10).aspx