如何使用 CMD 或 PowerShell 在 Windows Server 中的“关闭系统”组策略中添加用户组
我读过微软和其他网站上的一些文档。其中一些建议使用 GPRegistryValue 制定基于注册表的策略,并推荐使用其他第三方软件。
该密钥的完整路径为:“计算机配置\Windows 设置\安全设置\本地策略\用户权限分配”
但就我而言,我无法使用除 CMD 或 PowerShell(UI 不可用)之外的其他包。
谢谢
答案1
Windows 提供了secedit.exe 工具对于这个和/或自定义代码,按照我给您的评论中提供的链接。
另外,您是否检查过 mspowershellgallery.com 网站上是否有可协助本地用户安全策略的模块?
Find-Module -Name '*sec*pol*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
2.10.0.0 SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments
1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources
0.0.12 SecurityPolicy PSGallery Module that allows getting, adding and removing User Rights Assignment without using secedit.exe
#>
和
Find-Module -Name '*rights*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
1.0.2 cUserRightsAssignment PSGallery The cUserRightsAssignment module contains the cUserRight DSC resource ...
1.0.0 UserRightsAssignment PSGallery Analyze the effective User Rights Assignments on a computer and compare results
1.0.1 KMaks.ActiveDirectoryRights PSGallery This module helps with ActiveDirectory ACL auditing.
#>
根据“@Vomit IT - Chunky Mess Style”的建议进行更新。
# Doing this with Secedit and Powershell - something I used in the past
#Get SID from current user
$objUser = New-Object System.Security.Principal.NTAccount("$ENV:userdomain\$ENV:username")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$MySID = $strSID.Value
#Get list of currently used SIDs
secedit /export /cfg tempexport.inf
$curSIDs = Select-String .\tempexport.inf -Pattern "SeShutdownPrivilege "
$Sids = $curSIDs.line
copy .\LogOnAsAService.inf .\LogOnAsAServiceTemplate.inf
add-content .\LogOnAsAServiceTemplate.inf "$Sids,*$MySID"
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
secedit /import /db secedit.sdb /cfg "$scriptPath\LogOnAsAServiceTemplate.inf"
secedit /configure /db secedit.sdb
gpupdate /force
更简洁/优雅的选择。
# Using one of the modules - just replace the right needed.
Find-Module -Name 'SecurityPolicy' |
Install-Module -Force
Get-Command -Module 'SecurityPolicy'
# Results
<#
CommandType Name Version Source
----------- ---- ------- ------
Function Add-UserRightsAssignment 0.0.12 SecurityPolicy
Function Get-SecurityPolicy 0.0.12 SecurityPolicy
Function Get-UserRightsAssignment 0.0.12 SecurityPolicy
Function Remove-UserRightsAssignment 0.0.12 SecurityPolicy
Function Set-SecurityPolicy 0.0.12 SecurityPolicy
Function Set-UserRightsAssignment 0.0.12 SecurityPolicy
#>
Get-Help -Name 'Add-UserRightsAssignment' -Examples
# Results
<#
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Add-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"
#>
仅供参考 --- 更新“@Vomit IT - Chunky Mess Style”。使用 PS_LSA.Wrapper
Add-Type @'
lots of library code here
'@
$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)
$LocalUserRights |
Get-Member
# Results
<#
TypeName: PS_LSA.LsaWrapper
Name MemberType Definition
---- ---------- ----------
AddPrivilege Method void AddPrivilege(string account, PS_LSA.Rights privilege)
...
EnumerateAccountPrivileges Method PS_LSA.Rights[] EnumerateAccountPrivileges(string account)
EnumerateAccountsWithUserRight Method string[] EnumerateAccountsWithUserRight(PS_LSA.Rights privilege)
...
RemovePrivilege Method void RemovePrivilege(string account, PS_LSA.Rights privilege)
...
#>
# Examples:
$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)
$LocalUserRights.AddPrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")
$LocalUserRights.RemovePrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")