Difference between revisions of "Windows Group Policy"
From MgmtWiki
(→Solutions) |
(→Powershell Grant logon as Service) |
||
(One intermediate revision by the same user not shown) | |||
Line 20: | Line 20: | ||
</pre> | </pre> | ||
===Powershell Grant logon as Service=== | ===Powershell Grant logon as Service=== | ||
+ | <pre> | ||
+ | If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy: | ||
+ | |||
+ | PS > Set-ExecutionPolicy RemoteSigned | ||
+ | |||
+ | ... May Result in a signing error -- And then changed to: | ||
+ | |||
+ | PS > Set-ExecutionPolicy Unrestricted | ||
+ | |||
+ | And then use the Script to assign the permission: | ||
+ | |||
+ | PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc" | ||
+ | |||
+ | Reset the ExecutionPolicy if desired: | ||
+ | |||
+ | PS > Set-ExecutionPolicy Restricted | ||
+ | </pre> | ||
https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893 | https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893 | ||
+ | <pre> | ||
+ | param($accountToAdd) | ||
+ | #written by Ingo Karstein, http://blog.karstein-consulting.com | ||
+ | # v1.0, 01/03/2014 | ||
+ | |||
+ | ## <--- Configure here | ||
+ | |||
+ | if( [string]::IsNullOrEmpty($accountToAdd) ) { | ||
+ | Write-Host "no account specified" | ||
+ | exit | ||
+ | } | ||
+ | |||
+ | ## ---> End of Config | ||
+ | |||
+ | $sidstr = $null | ||
+ | try { | ||
+ | $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd" | ||
+ | $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier]) | ||
+ | $sidstr = $sid.Value.ToString() | ||
+ | } catch { | ||
+ | $sidstr = $null | ||
+ | } | ||
+ | |||
+ | Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan | ||
+ | |||
+ | if( [string]::IsNullOrEmpty($sidstr) ) { | ||
+ | Write-Host "Account not found!" -ForegroundColor Red | ||
+ | exit -1 | ||
+ | } | ||
+ | |||
+ | Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan | ||
+ | |||
+ | $tmp = [System.IO.Path]::GetTempFileName() | ||
+ | |||
+ | Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan | ||
+ | secedit.exe /export /cfg "$($tmp)" | ||
+ | |||
+ | $c = Get-Content -Path $tmp | ||
+ | |||
+ | $currentSetting = "" | ||
+ | |||
+ | foreach($s in $c) { | ||
+ | if( $s -like "SeServiceLogonRight*") { | ||
+ | $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries) | ||
+ | $currentSetting = $x[1].Trim() | ||
+ | } | ||
+ | } | ||
+ | |||
+ | if( $currentSetting -notlike "*$($sidstr)*" ) { | ||
+ | Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan | ||
+ | |||
+ | if( [string]::IsNullOrEmpty($currentSetting) ) { | ||
+ | $currentSetting = "*$($sidstr)" | ||
+ | } else { | ||
+ | $currentSetting = "*$($sidstr),$($currentSetting)" | ||
+ | } | ||
+ | |||
+ | Write-Host "$currentSetting" | ||
+ | |||
+ | $outfile = @" | ||
+ | [Unicode] | ||
+ | Unicode=yes | ||
+ | [Version] | ||
+ | signature="`$CHICAGO`$" | ||
+ | Revision=1 | ||
+ | [Privilege Rights] | ||
+ | SeServiceLogonRight = $($currentSetting) | ||
+ | "@ | ||
+ | |||
+ | $tmp2 = [System.IO.Path]::GetTempFileName() | ||
+ | |||
+ | |||
+ | Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan | ||
+ | $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force | ||
+ | |||
+ | #notepad.exe $tmp2 | ||
+ | Push-Location (Split-Path $tmp2) | ||
+ | |||
+ | try { | ||
+ | secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS | ||
+ | #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS " | ||
+ | } finally { | ||
+ | Pop-Location | ||
+ | } | ||
+ | } else { | ||
+ | Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan | ||
+ | } | ||
+ | |||
+ | Write-Host "Done." -ForegroundColor DarkCyan | ||
+ | </pre> |
Latest revision as of 17:25, 9 August 2020
Full Title
Set security with Windows Group Policy.
Context
- While this feature of Windows was crated for control of computers in a Windows domain, it can be set on individual computers as well.
Problems
This feature is a super pain for use by normal users.
Solutions
enable Group Policy Editor (Gpedit.msc) on Windows 10 Home. If this method fails, there are other methods to try at https://tinyurl.com/majorgeeksgpedit
@echo off pushd "%~dp0" dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~3*.mum >List.txt dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~3*.mum >>List.txt for /f %%i in ('findstr /i . List.txt 2^>nul') do dism /online /norestart /add-package:"%SystemRoot%\servicing\Packages\%%i" pause
Powershell Grant logon as Service
If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy: PS > Set-ExecutionPolicy RemoteSigned ... May Result in a signing error -- And then changed to: PS > Set-ExecutionPolicy Unrestricted And then use the Script to assign the permission: PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc" Reset the ExecutionPolicy if desired: PS > Set-ExecutionPolicy Restricted
https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893
param($accountToAdd) #written by Ingo Karstein, http://blog.karstein-consulting.com # v1.0, 01/03/2014 ## <--- Configure here if( [string]::IsNullOrEmpty($accountToAdd) ) { Write-Host "no account specified" exit } ## ---> End of Config $sidstr = $null try { $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd" $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier]) $sidstr = $sid.Value.ToString() } catch { $sidstr = $null } Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan if( [string]::IsNullOrEmpty($sidstr) ) { Write-Host "Account not found!" -ForegroundColor Red exit -1 } Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan $tmp = [System.IO.Path]::GetTempFileName() Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan secedit.exe /export /cfg "$($tmp)" $c = Get-Content -Path $tmp $currentSetting = "" foreach($s in $c) { if( $s -like "SeServiceLogonRight*") { $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries) $currentSetting = $x[1].Trim() } } if( $currentSetting -notlike "*$($sidstr)*" ) { Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan if( [string]::IsNullOrEmpty($currentSetting) ) { $currentSetting = "*$($sidstr)" } else { $currentSetting = "*$($sidstr),$($currentSetting)" } Write-Host "$currentSetting" $outfile = @" [Unicode] Unicode=yes [Version] signature="`$CHICAGO`$" Revision=1 [Privilege Rights] SeServiceLogonRight = $($currentSetting) "@ $tmp2 = [System.IO.Path]::GetTempFileName() Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force #notepad.exe $tmp2 Push-Location (Split-Path $tmp2) try { secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS " } finally { Pop-Location } } else { Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan } Write-Host "Done." -ForegroundColor DarkCyan