使用powershell / cmd设置本地安全策略的用户权限分配

时间:2017-06-06 16:26:56

标签: powershell cmd

我想使用powershell或cmd编辑本地安全策略的用户权限分配的安全设置。

Eg: policy =  "change the system time"
default_security_settings = "local service,Administrators"
i want to remove everything except Administrators

我尝试过ntrights命令,但似乎无法正常工作 任何命令都将不胜感激

2 个答案:

答案 0 :(得分:2)

这是我刚刚写的东西。你可以让它变得更有活力

function Replace-SecurityTest([string[]]$Usernames,[string]$SecuritySetting, $SaveFile = "C:\Configuration.cfg"){
    function Get-SID($USER){
        $objUser = New-Object System.Security.Principal.NTAccount("$USER")
        $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
        $strSID.Value
    }
    secedit /export /cfg $SaveFile
    $reader = [System.IO.File]::OpenText($SaveFile)
    while($null -ne ($line = $reader.ReadLine())) {
        if ($Line -like "*$SecuritySetting*"){
            $reader.Close()
            $line2 = $line.Remove($line.IndexOf("="))
            $line2 += "= "
            foreach($user in $Usernames){
                $line2 += "*$(Get-SID -USER "$user"), "
            }
            $line2 = $line2.Remove($line2.LastIndexOf(", "))
            (gc $SaveFile).replace("$Line", "$Line2") | Out-File $SaveFile
            secedit /configure /db c:\windows\security\local.sdb /cfg $SaveFile /areas SECURITYPOLICY
            rm -force $SaveFile -confirm:$false
            break
        }
    }

}

Replace-SecurityTest -Usernames "Administrators" -SecuritySetting "SeSystemtimePrivilege" -SaveFile "C:\Config22.cfg"

答案 1 :(得分:0)

$account = "accountName"
$userRight = "SeServiceLogonRight*"

$code = (Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg c:\policies.inf" -Wait -PassThru).ExitCode
if ($code -eq 0)
    {
        Write-Output "security template exported successfully exit code $code"
    }
else
    {
        Write-Output "security template export failed exit code $code"
    }

$sid = ((Get-LocalUser $account).SID).Value

$policy = Get-Content C:\policies.inf
$newpol = @()
foreach ($line in $policy)
    {
        if ($line -like $userRight)
            {
                $line = $line + ",*$sid"
            }

        $newpol += $line
    }

$newpol | Out-File C:\policies.inf -Force

$code = (Start-Process secedit -ArgumentList "/configure /db secedit.sdb /cfg C:\policies.inf /areas USER_RIGHTS /log C:\policies.log" -Wait -PassThru).ExitCode
if ($code -eq 0)
    {
        Write-Output "exit code $code"
    }
else
    {
        Write-Output "exit code $code"
    }

Remove-Item -Path c:\policies.inf -Force
相关问题
最新问题