Remote bulk fix for VSS LLDP CAPI 513 error.
I’m a stickler for keeping error logs clean where possible. I wanted to fix the VSS CAPI 513 error (https://support.microsoft.com/en-ca/help/3209092) on my DPM protected servers; however, I’m also lazy efficient and didn’t want to do it manually. Here’s my quick and dirty powershell function to apply the fix to all of the appropriate servers.
Automation is a fantastic way to break things with unprecedented speed. Scripts should be understood before running. Also all the error decorations aren’t necessary, but who’s to say I can’t have fun with a blog post?
Caveat Emptor.
function Repair-mslldpPermissions {
[CmdletBinding()]
param ([string]$TargetComputer)
$mslldpSDDL = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {sc.exe sdshow mslldp}
$ntserviceSecString = '(A;;CCLCSWLOCRRC;;;SU)'
if ($mslldpSDDL -match $ntserviceSecString) {
Write-Warning "mslldp service already has NT Service permission fix applied on $TargetComputer!"
return;
}
if ($mslldpSDDL -match "[OGS]:") {
Write-Error "I'm not smart enough to understand the SDDL on $TargetComputer.
I expect the SDDL for this service to match the default, which only contains dacl flags.
Make me smarter if you want to continue!" -Category InvalidOperation
}
$newSDDL = "$mslldpSDDL$ntserviceSecString"
$output = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {$sddl = $args[0]; sc.exe sdset mslldp $sddl} -ArgumentList $newSDDL
switch -Wildcard ($output) {
"*5*" {
Write-Error "Insufficient permissions to alter SDDL of mslldp service. Failed to set SDDL" -Category PermissionDenied
return;
}
"*SetServiceObjectSecurity SUCCESS*" {
Write-Verbose "Successfully updated mslldp service SDDL on host [$TargetComputer]"
return;
}
Default {
Write-Error "sc returned unexpected result:`n$output" -RecommendedAction "RTError" -Category InvalidResult
return;
}
}
}