[英]Setting user rights assignment of local security policy using powershell/cmd
I want to edit security settings of user rights assignment of local security policy using powershell or cmd.我想使用 powershell 或 cmd 编辑本地安全策略的用户权限分配的安全设置。
Eg: policy = "change the system time"
default_security_settings = "local service,Administrators"
i want to remove everything except Administrators
i have tried ntrights command, but seems like not working Any command will be appreciated我已经尝试过 ntrights 命令,但似乎不起作用任何命令将不胜感激
Here is something i just wrote.这是我刚刚写的东西。 You can make it more dynamic你可以让它更有活力
function Replace-SecurityTest([string[]]$Usernames,[string]$SecuritySetting, $SaveFile = "C:\Configuration.cfg"){
function Get-SID($USER){
$objUser = New-Object System.Security.Principal.NTAccount("$USER")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
}
secedit /export /cfg $SaveFile
$reader = [System.IO.File]::OpenText($SaveFile)
while($null -ne ($line = $reader.ReadLine())) {
if ($Line -like "*$SecuritySetting*"){
$reader.Close()
$line2 = $line.Remove($line.IndexOf("="))
$line2 += "= "
foreach($user in $Usernames){
$line2 += "*$(Get-SID -USER "$user"), "
}
$line2 = $line2.Remove($line2.LastIndexOf(", "))
(gc $SaveFile).replace("$Line", "$Line2") | Out-File $SaveFile
secedit /configure /db c:\windows\security\local.sdb /cfg $SaveFile /areas SECURITYPOLICY
rm -force $SaveFile -confirm:$false
break
}
}
}
Replace-SecurityTest -Usernames "Administrators" -SecuritySetting "SeSystemtimePrivilege" -SaveFile "C:\Config22.cfg"
$account = "accountName"
$userRight = "SeServiceLogonRight*"
$code = (Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg c:\policies.inf" -Wait -PassThru).ExitCode
if ($code -eq 0)
{
Write-Output "security template exported successfully exit code $code"
}
else
{
Write-Output "security template export failed exit code $code"
}
$sid = ((Get-LocalUser $account).SID).Value
$policy = Get-Content C:\policies.inf
$newpol = @()
foreach ($line in $policy)
{
if ($line -like $userRight)
{
$line = $line + ",*$sid"
}
$newpol += $line
}
$newpol | Out-File C:\policies.inf -Force
$code = (Start-Process secedit -ArgumentList "/configure /db secedit.sdb /cfg C:\policies.inf /areas USER_RIGHTS /log C:\policies.log" -Wait -PassThru).ExitCode
if ($code -eq 0)
{
Write-Output "exit code $code"
}
else
{
Write-Output "exit code $code"
}
Remove-Item -Path c:\policies.inf -Force
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.