none
Changing Local Group Policy and Local Security Policy via PowerShell RRS feed

  • Question

  • I am attempting to automate an installation process which currently requires manually modifying the Local Group Policy and the Local Security Policy as follows:

    1. Local Group Policy - Administration Templates-->System-->User Profiles-->Do not forcefully unload the user registry at user logoff
    2. Local Security Policy - Local Policy --> User Rights Assignment --> Log on as a service --> Add 1 or more Windows account users to the service

    I have read about using the Group Policy Snap-Ins for PowerShell to do this, but it seems that these only affect the domain group policy and not Local Group Policy.  I have also not yet found any way to accomplish this for Local Security Policy.

    Any method by which I can accomplish this using PowerShell (including modifying the Registry) would be greatly appreciated.

    I am using PowerShell v. 4.0 on Windows Server 2008 R2/Windows Server 2012/Windows Server 2012 R2.

    Please advise.

    Wednesday, October 28, 2015 3:17 PM

Answers

  • You can set the profile setting here:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "DisableForceUnload"=dword:00000001

    Use a REG file or use Set-ItemProperty


    \_(ツ)_/


    • Edited by jrvModerator Wednesday, October 28, 2015 4:18 PM
    • Marked as answer by vs2015junkie Wednesday, October 28, 2015 9:52 PM
    Wednesday, October 28, 2015 4:18 PM
    Moderator

All replies

  • Domain policy will always override local policy.

    There is now way to alter the local policy via CmdLets.  The security is l0ocked in so it cannot be changed except by the installer and the Group Policy engine.

    There are ways to use SECEDIT to update security but GP will likely overwrite it.


    \_(ツ)_/

    Wednesday, October 28, 2015 4:14 PM
    Moderator
  • You can set the profile setting here:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "DisableForceUnload"=dword:00000001

    Use a REG file or use Set-ItemProperty


    \_(ツ)_/


    • Edited by jrvModerator Wednesday, October 28, 2015 4:18 PM
    • Marked as answer by vs2015junkie Wednesday, October 28, 2015 9:52 PM
    Wednesday, October 28, 2015 4:18 PM
    Moderator
  • You would probably be better off finding the corresponding registry keys for those policy settings and using power shell to modify those before continuing on with the operation then change the value back.

    That's probably really your only option. 


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

    Wednesday, October 28, 2015 6:14 PM
  • Security policy settings are not in the registry.  They are kept in a special store that I normally inaccessible.  Only the LSASS has access to this policy store.  MS supplies SECEDIT and the Local GP and Local Security policy editors for adjusting this.  Currently there is no other tool that can change those settings.

    SECEDIT can be run at a command prompt with a custom sec file to modify the settings.  As I noted before GP will likely overwrite any changes made to local security policy.

    If you do use a policy then it should be granted to a group and not to individual users.

    Some utilites will allow an admin to be added to the service setting but they have to be designed fo rit.

    One way is to add a user/group as a service account.  The service manager will automatically add the user it the run as service settings.  The drawback is this cannot be scripted.

    SC CREATE /?

    This utility can add an account to a service and set the registry but it will ask for verification.  I am not sure if it is a popup or just a 'Y' at the prompt.


    \_(ツ)_/

    Wednesday, October 28, 2015 6:37 PM
    Moderator
  • Security policy settings are not in the registry.  They are kept in a special store that I normally inaccessible.  Only the LSASS has access to this policy store.  MS supplies SECEDIT and the Local GP and Local Security policy editors for adjusting this.  Currently there is no other tool that can change those settings.

    SECEDIT can be run at a command prompt with a custom sec file to modify the settings.  As I noted before GP will likely overwrite any changes made to local security policy.

    If you do use a policy then it should be granted to a group and not to individual users.

    Some utilites will allow an admin to be added to the service setting but they have to be designed fo rit.

    One way is to add a user/group as a service account.  The service manager will automatically add the user it the run as service settings.  The drawback is this cannot be scripted.

    SC CREATE /?

    This utility can add an account to a service and set the registry but it will ask for verification.  I am not sure if it is a popup or just a 'Y' at the prompt.


    \_(ツ)_/

    You're right I totally forgot. The store in that .POL file and then right to the reg if I remember correctly yes?


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

    Wednesday, October 28, 2015 7:22 PM
  • No.  Security settings are not in POL files.  They are in a special hive location that is locked and can only be accessed by starting the system in maintenance mode and altering the registry's internal security.

    There is no published API for doing this that I have been able to find.


    \_(ツ)_/

    Wednesday, October 28, 2015 7:42 PM
    Moderator
  • I was able to set the registry setting, but it does not seem to update the value in the Group Policy snap-in.

    Are there any other options to force the value to also update in the Local Group Policy snap-in (gpedit.msc)?

    Wednesday, October 28, 2015 9:58 PM
  • I found this article which describes how to alter the Local Security Policy settings: http://samirvaidya.blogspot.com/2015/10/granting-log-on-as-service.html
    Wednesday, October 28, 2015 10:03 PM
  • I was able to set the registry setting, but it does not seem to update the value in the Group Policy snap-in.

    Are there any other options to force the value to also update in the Local Group Policy snap-in (gpedit.msc)?

    Nope.


    \_(ツ)_/

    Wednesday, October 28, 2015 11:09 PM
    Moderator
  • I found this article which describes how to alter the Local Security Policy settings: http://samirvaidya.blogspot.com/2015/10/granting-log-on-as-service.html

    As I posted above.  SECEDIT is one of the ways to do this.

    You don't need PowerShell.  Just create an "inf" file and run it at the command line.  The script just creates that file for you.

    Be careful as SECEDIT can trash the whole system in a flash.  Be sure you understand what it is doing.


    \_(ツ)_/

    Wednesday, October 28, 2015 11:13 PM
    Moderator