问题
I am looking for a method to access and modify local group policy settings in a PC programatically.
For example, if I want to check / modify a value for a setting
"Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Logon Events" (Path taken from gpedit), I should be able to query it over a command line or set a value to it without the gpedit or any other native GUI interface.
Possible methods that I could think that might solve this problem were either of the following two:-
1. A programming interface for Local Group Policy Setting manipulation
Based on my search
i. There were no official documentation or tools from Microsoft that could query and manipulate a given setting in Local Security Policy.
ii. The closest I could get was a vendor named sdmsoftware (Link:- https://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/) who provides a powershell interface for manipulating the Local group policy. Since the company I work is just a startup, we cant invest on any tools right now. Hence buying something is out of scope.I am looking for a freeware / OSS / any work-around to achive this.
2. A mapping file consisting of All Local Security Settings mapped to a corresponding registry key or a file path. So that the same registry keys or file can be used to directly query or modify a security setting.
Based on my search
i. I found a list given by Microsoft which gives a corresponding registry key to some of the Local Security Policy settings. However , the list does not contain mappings of all Local Security Settings.
(Link:- www . microsoft . com /en - us / download / details . aspx ? id=25250)
I understand that the querying task can be done by exporting the result using gpresult and parsing it but however the same is not possible for modification. I also tried testing and analysing the following Microsoft Tools to somehow get the path of various local group policy settings by monitoring under tools like PSmon for seeing what files were being opened and what registries were being queried etc. :-
a) Security Compliance Manager
(Link :-technet. microsoft . com / en-us / solutionaccelerators / cc835245 . aspx)
b) Microsoft Security Compliance Toolkit (Link :-www. microsoft. com / en-us / download/confirmation.aspx ? id=55319&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1)
However , it did not yield any result could also be becauase I might have not analysed them properly.
I would like to know if there are any documents / articles / a free ( free as in free beer) programming interface for Local Security policy / any work around hack that can allow me to edit and query local group settings programatically.
Thanks in advance.
回答1:
Unfortunately not every setting in the Security Settings is accessible in the same way.
As you already said, you can set most settings in the registry. If not, it highly depends on the setting you want to modify. For instance you can use:
- auditpol.exe for Audit Policy Settings.
- UserRights.ps1 for User Right Assignments.
Afaik there is no solution for all settings. If you need to modify another setting, you should ask for this specific setting, to find a programmatical way solution for it.
来源:https://stackoverflow.com/questions/45905569/programmatical-manipulation-of-windows-local-security-policy