0

I am trying to lock the local admin account on a remote computer that i'm connected to using a CIM session:

$CIMSession = New-CimSession -ComputerName ComputerOne -ErrorAction Stop
$adminCheck = Get-CimInstance -Query "SELECT * FROM Win32_UserAccount WHERE Name='AdminAccount'" -CimSession $CIMSession

When I enumerate all the available CIM class methods available for that object, only one shows up:

PS C:\windows\system32> $adminCheck.CimClass.CimClassMethods

Name   ReturnType Parameters Qualifiers                   
----   ---------- ---------- ----------                   
Rename     UInt32 {Name}     {Implemented, MappingStrings}

...figures this is due to some methods not showing completely, perhaps? So I tried setting it using Invoke-CimMethod.

  • $adminCheck | Invoke-CimMethod -MethodName Put -Arguments Lockout,$true

    • This doesn't work which I believe is syntactically incorrect, as it errors out as well.

Tried: $adminCheck.LockOut = $true, out of just trying stuff and to no surprise it doesn't work either. Which would make sense since the instance is just referenced on my computer.

So, in my last attempt I tried:

$adminCheck | Set-CimInstance -Property @{Lockout=$true}
# and
$adminCheck | Set-CimInstance -Property @{Lockout=$true} -CimSession $CIMSession

which didn't work, as well.

Question: Is there no method, to save the newly modified value for that CIM instance property?

I am basing this off of the older Get-WMIObject cmdlet which will allow you to set the property by saving it using the .put() method.

Get-WmiObject -Class Win32_UserAccount -ComputerName ComputerOne -Filter "Name='AdminAccount'" | 
    ForEach-Object -Process {
        $_.Lockout = $true;
        $_.put()
    }

just looking to switch over completely to the newer CIM cmdlets

Abraham Zinala
  • 4,267
  • 3
  • 9
  • 24
  • 1
    "...figures this is due to some methods not showing completely, perhaps?" - no, the `Win32_UserAccount` class [really only has one instance method](https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-useraccount-methods) defined – Mathias R. Jessen Nov 24 '21 at 10:19
  • @Mathias, ahhh. So in reality, the CIM cmdlets don't carry over all methods from the older Gwmi cmdlets? – Abraham Zinala Nov 24 '21 at 12:22
  • Sure they do, but `Put` was never a WMI method to begin with - it's a .NET method, belonging to the `[System.Management.ManagementObject]` class. FWIW `$instance |Set-CimInstance -Property @{Lockout=$true}` should work just fine - what behavior are you seeing when you run it? – Mathias R. Jessen Nov 24 '21 at 12:25
  • Gonna take note of that. So, it actually never locks the account. It runs, no errors, no output, but no changes. Odd huh – Abraham Zinala Nov 24 '21 at 12:58
  • @Mathias, so, I can unlock it, just not lock it using `Set-CimInstance`. – Abraham Zinala Nov 24 '21 at 15:14
  • 1
    I suspect that's a limitation of the underlying API - `LockedOut` is likely a "calculated property" reflecting `(now() < [lockout policy threshold] + [time at which bad password guesses exceeded threshold])` – Mathias R. Jessen Nov 24 '21 at 15:16
  • well, that settles that. Thank for the info man! – Abraham Zinala Nov 24 '21 at 15:19

0 Answers0