none
Powershell, Local Security Policy and Templates (such as the System Audit Policies or Windows Firewall Policies) RRS feed

  • Question

  • Hi Team,

    Hopefully this Question does not fall foul of the guidelines of this Forum. I am currently writing a script that will set a series of local Security Policy settings on Windows Server 2012/2016 - These Servers are NOT domain joined and so AD GPO is not an option (and the associated cmdlets)

    For most of the objects, I use this methodology  to determine what the current policy is set to and then set it to the desired option or where the value is missing, setting it:

    secedit /export /cfg c:\secpol.cfg
    
    $secpol = (Get-Content C:\secpol.cfg)
    
    $newsecpol = New-Object System.Collections.ArrayList($null)
    $newsecpol.AddRange($secpol)
    $oldvalue = $secpol | where{$_ -like "MaximumPasswordAge*"} $oldindexID = [array]::IndexOf($secpol,$oldvalue) $newvalue = $newsecpol | where{$_ -like "MaximumPasswordAge*"} $newindexID = [array]::IndexOf($newsecpol,$newvalue) if($secpol[$oldindexID] -ne "MaximumPasswordAge = 60"){ $newsecpol.item($newindexID) = "MaximumPasswordAge = 60" } $newsecpol.insert(90,"SeMachineAccountPrivilege = *S-1-5-32-544") $newsecpol | out-file c:\newsecpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\newsecpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false rm -force c:\newsecpol.cfg -confirm:$false

    And life was good - however as part of this - I am also wanting to set both Windows Firewall policies and System Audit Policies - And this is where I've hit a Snag - the secedit export does not include items for either of these Local Group Policy Objects.

    Initially I tried simply adding the Reg Key that gets changed to the array $newsecpol - and whilst this was parsed by Secedit succesfully - the local policy when viewed in gpedit does not show as changed.

    Similar behaviour occurs when I used auditpol - the setting does not show as set via gpedit.

    As a quick aside - I can use auditpol and also PS manipulation of the Registry to add the various values I need - the issue is however that because the Local GPO does not show these as set - if a gpupdate /force is run - it wipes all these settings.

    I'm sure that there must be a way from PS to manipulate these local GPOs - and I suspect that whatever Method works for one, will work for the other.

    So far I've tried using WMI via PS to try and manipulate the settings I need (however I am relatively crap at WMI and wasn't successful - I suspect this is the right way to go - but someone may have to show me the light)

    I've tried to access the C:\Windows\security\database\security.sdb file via Powershell - again without any luck. I've tried installing MS Security Compliance Manager 4.0 (which apparently includes a Powershell Module for advanced Policy manipulation) - again no luck.

    I am sure that there is a method to do what I need - if someone can point me in the right direction - then I've got sufficient scripting skill to take it from there - but atm I'm hitting a brick wall and hope a different pair of eyes will read this and enlighten me.

    Thanks

    Monday, February 13, 2017 2:43 AM

Answers

  • So I thought I'd update everyone (in case anyone has this issue) after some additional googling - I stumbled across this Gem:

    https://www.powershellgallery.com/packages/PolicyFileEditor/2.0.2

    which allows you to manipulate the Local GPO and have it set the desired attributes.

    • Marked as answer by abcgjb Tuesday, February 14, 2017 1:10 AM
    Tuesday, February 14, 2017 1:10 AM

All replies

  • You would do better asking your question in the Windows Security forum since it is about security setting/ SECEDIT and not about scripting.


    \_(ツ)_/

    Monday, February 13, 2017 4:20 AM
  • Hi JRV,

    It's partially about Secedit - but the primary focus is the ability to change local GPOs from Powershell - which IMO is a Scripting issue.

    I will put a copy of the Q though in the Security area in case they have greater insight.

    Thanks

    Monday, February 13, 2017 8:07 PM
  • Hi JRV,

    It's partially about Secedit - but the primary focus is the ability to change local GPOs from Powershell - which IMO is a Scripting issue.

    I will put a copy of the Q though in the Security area in case they have greater insight.

    Thanks

    There is no way too change these settings outside of LocalPolicy or SECEDIT or Group Policy.  THere is no local Group Policy.  THere is only Local Security Policy.


    \_(ツ)_/

    Monday, February 13, 2017 8:19 PM
  • So I thought I'd update everyone (in case anyone has this issue) after some additional googling - I stumbled across this Gem:

    https://www.powershellgallery.com/packages/PolicyFileEditor/2.0.2

    which allows you to manipulate the Local GPO and have it set the desired attributes.

    • Marked as answer by abcgjb Tuesday, February 14, 2017 1:10 AM
    Tuesday, February 14, 2017 1:10 AM
  • So I thought I'd update everyone (in case anyone has this issue) after some additional googling - I stumbled across this Gem:

    https://www.powershellgallery.com/packages/PolicyFileEditor/2.0.2

    which allows you to manipulate the Local GPO and have it set the desired attributes.

    It is not what you asked for.  It is not part of PowerShell.  It is an extension module which uses SECEDIT under the covers.

    Note that Wyatt clearly states "Commands and DSC resource for modifying Administrative Templates settings in local GPO registry.pol files."

    POL files cannot change the entries you specified.

    Good luck using it.


    \_(ツ)_/



    • Edited by jrv Tuesday, February 14, 2017 2:25 AM
    Tuesday, February 14, 2017 2:23 AM