Remote bulk fix for VSS LLDP CAPI 513 error.

1 minute read

I’m a stickler for keeping error logs clean where possible. I wanted to fix the VSS CAPI 513 error (https://support.microsoft.com/en-ca/help/3209092) on my DPM protected servers; however, I’m also lazy efficient and didn’t want to do it manually. Here’s my quick and dirty powershell function to apply the fix to all of the appropriate servers.

Automation is a fantastic way to break things with unprecedented speed. Scripts should be understood before running. Also all the error decorations aren’t necessary, but who’s to say I can’t have fun with a blog post?
Caveat Emptor.

function Repair-mslldpPermissions {
  param (
      [string]$TargetComputer
  )

  $mslldpSDDL = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {sc.exe sdshow mslldp}
  $ntserviceSecString = '(A;;CCLCSWLOCRRC;;;SU)'

  if ($mslldpSDDL -match $ntserviceSecString) {
      Write-Warning "mslldp service already has NT Service permission fix applied on $TargetComputer!"
      return;
  }

  if ($mslldpSDDL -match "[OGS]:") {
      Write-Error "I'm not smart enough to understand the SDDL on $TargetComputer.
      I expect the SDDL for this service to match the default, which only contains dacl flags.
      Make me smarter if you want to continue!" -Category InvalidOperation
  }

  $newSDDL = "$mslldpSDDL$ntserviceSecString"
  $output = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {$sddl = $args[0]; sc.exe sdset mslldp $sddl} -ArgumentList $newSDDL

  switch -Wildcard ($output) {
      "*5*" {
          Write-Error "Insufficient permissions to alter SDDL of mslldp service. Failed to set SDDL" -Category PermissionDenied
          return;
      }
      "*SetServiceObjectSecurity SUCCESS*" {
          Write-Host "Successfully updated mslldp service SDDL"
          return;
      }
      Default {
          Write-Error "sc returned unexpected result:`n$output" -RecommendedAction "RTError" -Category InvalidResult
          return;
      }
  }

}