Difference between revisions of "Windows Group Policy"

From MgmtWiki
Jump to: navigation, search
(Created page with "==Full Title== Set security with Windows Group Policy. ==Context== *While this feature of Windows was crated for control of computers in a Windows domain, it can be set on...")
 
(Powershell Grant logon as Service)
 
(3 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
This feature is a super pain for use by normal users.
 
This feature is a super pain for use by normal users.
 
==Solutions==
 
==Solutions==
 +
enable Group Policy Editor (Gpedit.msc) on Windows 10 Home.
 +
If this method fails, there are other methods to try at https://tinyurl.com/majorgeeksgpedit
 
<pre>
 
<pre>
 
@echo off  
 
@echo off  
@echo " enable Group Policy Editor (Gpedit.msc) on Windows 10 Home."
+
 
@echo "If this method fails, there are other methods to try at https://tinyurl.com/majorgeeksgpedit"
 
 
pushd "%~dp0"  
 
pushd "%~dp0"  
  
Line 17: Line 18:
 
for /f %%i in ('findstr /i . List.txt 2^>nul') do dism /online /norestart /add-package:"%SystemRoot%\servicing\Packages\%%i"  
 
for /f %%i in ('findstr /i . List.txt 2^>nul') do dism /online /norestart /add-package:"%SystemRoot%\servicing\Packages\%%i"  
 
pause
 
pause
 +
</pre>
 +
===Powershell Grant logon as Service===
 +
<pre>
 +
If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy:
 +
 +
PS > Set-ExecutionPolicy RemoteSigned
 +
 +
... May Result in a signing error -- And then changed to:
 +
 +
PS > Set-ExecutionPolicy Unrestricted
 +
 +
And then use the Script to assign the permission:
 +
 +
PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc"
 +
 +
Reset the ExecutionPolicy if desired:
 +
 +
PS > Set-ExecutionPolicy Restricted
 +
</pre>
 +
https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893
 +
<pre>
 +
param($accountToAdd)
 +
#written by Ingo Karstein, http://blog.karstein-consulting.com
 +
#  v1.0, 01/03/2014
 +
 +
## <--- Configure here
 +
 +
if( [string]::IsNullOrEmpty($accountToAdd) ) {
 +
Write-Host "no account specified"
 +
exit
 +
}
 +
 +
## ---> End of Config
 +
 +
$sidstr = $null
 +
try {
 +
$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
 +
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
 +
$sidstr = $sid.Value.ToString()
 +
} catch {
 +
$sidstr = $null
 +
}
 +
 +
Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan
 +
 +
if( [string]::IsNullOrEmpty($sidstr) ) {
 +
Write-Host "Account not found!" -ForegroundColor Red
 +
exit -1
 +
}
 +
 +
Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
 +
 +
$tmp = [System.IO.Path]::GetTempFileName()
 +
 +
Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
 +
secedit.exe /export /cfg "$($tmp)"
 +
 +
$c = Get-Content -Path $tmp
 +
 +
$currentSetting = ""
 +
 +
foreach($s in $c) {
 +
if( $s -like "SeServiceLogonRight*") {
 +
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
 +
$currentSetting = $x[1].Trim()
 +
}
 +
}
 +
 +
if( $currentSetting -notlike "*$($sidstr)*" ) {
 +
Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan
 +
 +
if( [string]::IsNullOrEmpty($currentSetting) ) {
 +
$currentSetting = "*$($sidstr)"
 +
} else {
 +
$currentSetting = "*$($sidstr),$($currentSetting)"
 +
}
 +
 +
Write-Host "$currentSetting"
 +
 +
$outfile = @"
 +
[Unicode]
 +
Unicode=yes
 +
[Version]
 +
signature="`$CHICAGO`$"
 +
Revision=1
 +
[Privilege Rights]
 +
SeServiceLogonRight = $($currentSetting)
 +
"@
 +
 +
$tmp2 = [System.IO.Path]::GetTempFileName()
 +
 +
 +
Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
 +
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
 +
 +
#notepad.exe $tmp2
 +
Push-Location (Split-Path $tmp2)
 +
 +
try {
 +
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
 +
#write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
 +
} finally {
 +
Pop-Location
 +
}
 +
} else {
 +
Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan
 +
}
 +
 +
Write-Host "Done." -ForegroundColor DarkCyan
 
</pre>
 
</pre>

Latest revision as of 16:25, 9 August 2020

Full Title

Set security with Windows Group Policy.

Context

  • While this feature of Windows was crated for control of computers in a Windows domain, it can be set on individual computers as well.

Problems

This feature is a super pain for use by normal users.

Solutions

enable Group Policy Editor (Gpedit.msc) on Windows 10 Home.
If this method fails, there are other methods to try at https://tinyurl.com/majorgeeksgpedit
@echo off 

pushd "%~dp0" 

dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~3*.mum >List.txt 
dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~3*.mum >>List.txt 

for /f %%i in ('findstr /i . List.txt 2^>nul') do dism /online /norestart /add-package:"%SystemRoot%\servicing\Packages\%%i" 
pause

Powershell Grant logon as Service

If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy:

PS > Set-ExecutionPolicy RemoteSigned

... May Result in a signing error -- And then changed to:

PS > Set-ExecutionPolicy Unrestricted

And then use the Script to assign the permission:

PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc"

Reset the ExecutionPolicy if desired:

PS > Set-ExecutionPolicy Restricted 

https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893

param($accountToAdd)
#written by Ingo Karstein, http://blog.karstein-consulting.com
#  v1.0, 01/03/2014

## <--- Configure here

if( [string]::IsNullOrEmpty($accountToAdd) ) {
	Write-Host "no account specified"
	exit
}

## ---> End of Config

$sidstr = $null
try {
	$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
	$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
	$sidstr = $sid.Value.ToString()
} catch {
	$sidstr = $null
}

Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

if( [string]::IsNullOrEmpty($sidstr) ) {
	Write-Host "Account not found!" -ForegroundColor Red
	exit -1
}

Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

$tmp = [System.IO.Path]::GetTempFileName()

Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)" 

$c = Get-Content -Path $tmp 

$currentSetting = ""

foreach($s in $c) {
	if( $s -like "SeServiceLogonRight*") {
		$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
		$currentSetting = $x[1].Trim()
	}
}

if( $currentSetting -notlike "*$($sidstr)*" ) {
	Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan
	
	if( [string]::IsNullOrEmpty($currentSetting) ) {
		$currentSetting = "*$($sidstr)"
	} else {
		$currentSetting = "*$($sidstr),$($currentSetting)"
	}
	
	Write-Host "$currentSetting"
	
	$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@

	$tmp2 = [System.IO.Path]::GetTempFileName()
	
	
	Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
	$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

	#notepad.exe $tmp2
	Push-Location (Split-Path $tmp2)
	
	try {
		secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
		#write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
	} finally {	
		Pop-Location
	}
} else {
	Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan
}

Write-Host "Done." -ForegroundColor DarkCyan