Remote bulk fix for VSS LLDP CAPI 513 error.

1 minute read

I’m a stickler for keeping error logs clean where possible. I wanted to fix the VSS CAPI 513 error ( on my DPM protected servers; however, I’m also lazy efficient and didn’t want to do it manually. Here’s my quick and dirty powershell function to apply the fix to all of the appropriate servers.

Automation is a fantastic way to break things with unprecedented speed. Scripts should be understood before running. Also all the error decorations aren’t necessary, but who’s to say I can’t have fun with a blog post?
Caveat Emptor.

function Repair-mslldpPermissions {
  param (

  $mslldpSDDL = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {sc.exe sdshow mslldp}
  $ntserviceSecString = '(A;;CCLCSWLOCRRC;;;SU)'

  if ($mslldpSDDL -match $ntserviceSecString) {
      Write-Warning "mslldp service already has NT Service permission fix applied on $TargetComputer!"

  if ($mslldpSDDL -match "[OGS]:") {
      Write-Error "I'm not smart enough to understand the SDDL on $TargetComputer.
      I expect the SDDL for this service to match the default, which only contains dacl flags.
      Make me smarter if you want to continue!" -Category InvalidOperation

  $newSDDL = "$mslldpSDDL$ntserviceSecString"
  $output = Invoke-Command -ComputerName $TargetComputer -ScriptBlock {$sddl = $args[0]; sc.exe sdset mslldp $sddl} -ArgumentList $newSDDL

  switch -Wildcard ($output) {
      "*5*" {
          Write-Error "Insufficient permissions to alter SDDL of mslldp service. Failed to set SDDL" -Category PermissionDenied
      "*SetServiceObjectSecurity SUCCESS*" {
          Write-Host "Successfully updated mslldp service SDDL"
      Default {
          Write-Error "sc returned unexpected result:`n$output" -RecommendedAction "RTError" -Category InvalidResult