Add Local Group User policies with powershell - windows

I have a rather simple task. Is there any way to add a Group Policy under User-Configuration (particularly logon / logoff PowerShell scripts) ? I have seen tons of guides Like this one, but they are making it via GUI. I'd like to run a script, so all files are mapped from Network Fileshares.
I need an automation to configure master-image for citrix environment. (Maybe this can be achieved with BIS-F? or is there some sort of registry key? )
Thank you in Advance!
Here's a screenshot of this Policy (i can't make my own, because it's in German)

The New-GPO cmdlet creates a GPO with a specified name. By default, the newly created GPO is not linked to a site, domain, or organizational unit (OU).
See more: https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gpo?view=win10-ps

Related

How to Edit Local Group Policy using PowerShell

In Local Group Policy Editor (GUI) there is a setting called Do not allow window animations located in Computer Configuration->Administrative Templates->Windows Components->Desktop Window Manager that I would like to set as Enabled using the powershell, Since my windows version is professional I can added the RSAT GroupPolicy capability to my machine which I did and now I can use the Group Policy Cmdlets in Windows PowerShell
but I am clue less on how to Enable that feature using the commands
I tired to use
Get-GPO -Name "Do not allow window animations"
but this returns
Get-GPO : Current security context is not associated with an Active Directory domain or forest.
the grouppolicy module is wokring fine but I can't figure out how to query or change the value of any settings in the GPO
If you want cmdlets in order to change values you can use the PolicyFileEditor module from the gallery
https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1
The Get-GPO function is meant exclusively for Domain Group Policies, and not Local Policies, which it seems you are referencing. The description for the module also mentions this:
Gets one GPO or all the GPOs in a domain.
In order to modify local policies, you need to make a change to the respective setting in the registry
For example to disable the Shutdown button, you would need to modify:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown
Value = 1

How to get EVERY user token on a PC for SHGetKnownFolderPath?

I'm working on a System Service project with SYSTEM privilege (cleaning utility)... It does not interactive with any user interface.
My goal is to check files in "Desktop" and "AppData" folders for any user that exists on the PC.
I'm using NetUserEnum() to get the user list on the PC. Then I want to get the path of each user's Desktop and AppData with SHGetKnownFolderPath(), but I can't find a way to get each user's access token for SHGetKnownFolderPath(). Without a token defined in SHGetKnownFolderPath(), it returns the path for SYSTEM and not specific users.
Q1. How can I get the token of each user for SHGetKnownFolderPath()?
Q2. If no answer for Q1, is there any documented way to get the desktop & appdata path of each user in the PC?
I understand this can be achieved with dirty way ---> Registry key with some string replacement. However, the Registry key method is undocumented, which may easily break in future updates to Windows.
Edit Update:
#RaymondChen Thanks for pointing out that some user profiles may not exist. Also,
About Q1 : #Remy Lebeau provides a solution with LogonUser/Ex(),login to each user with their credentials,might be the only answer that fits the need of Q1.
About Q2 : There might have no documented way to achieve this. The only method might have to stick with Windows Registry (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) , as #Remy Lebeau and #Olaf Hess said. I tried to dig more information on Microsoft Community Forum and I got Microsoft would never allow access other users' profile with their native API for security reason. They do not provide APIs that can possibly violate the security rules. Each user profile can only access by its credentials.
btw, I totally understand that "Cleaning utility" aka "Windows-breaking tool", especially when the tool is not being well codded(ex. compatibility problem). For the sake of avoiding to make it become a totally Windows-Destroyer, I tried to use more documented API as possible.
For Windows Vista with SP1 / Server 2008 and better you can query the existing user profiles using the WMI class Win32_UserProfile. This allows you to retrieve the profile path and check whether it is a local or roaming profile and to get status information. The rest (retrieving the paths to APPDATA, DESKTOP, etc.) is likely going to involve reading values straight from the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders).

How to add user into COM permission list in windows server 2012 using PowerShell?

How can i add user into permission list using Windows PowerShell command
Information about dcom permission could be accessed via winregistry, HKLM\Software\Microsoft\Ole, DefaultAccessPermission / DefaultLaunchPermission, or via wmi.
Either way you need to get sid of your user, create object in SDDL format, and put it to registry. There is already few examples of powershell implementation on internet, for example this one.
But for real life I can suggest to do it not from powershell, but from GPO (Computer configuration - windows settings - security settings - local policies - security options - DCOM: Machine Launch/Access Restrictions in Security Descriptor Definition Language (SDDL) syntax ). Its easy, GUI-provided, could be used in SCCM compliance checks, etc etc.

Powershell script on remote computer not running as a scheduled task

I have a script on my domain stored on the Active Directory server. every machine on the domain has a task that when fired, calls this script to run.
Running the task from the AD server works. Running the task from another machine doesn't work. However, running the command that is triggered from cmd manually on the remote computer works?
Could anyone shine some light on this. Basically I call it like this so that the trigger is set up like...
Action: PowerShell.exe
Arguments: -noprofile –ExecutionPolicy Bypass -File "\\<>NameOfADServer<>\C$\Tasks\script.ps1" "Argument 1" "Argument 2"
Running as SYSTEM is probably your issue - it wont have any access outside of the PC its running on.
When you run it manually youll have the access.
There's several problems here.
You're running the task as the local SYSTEM accounts. SYSTEM generally does not have access to any network resources.
You're using the administrative share (\\<servername>\C$) to share the script. Only users that have Administrator access to the server can access the administrative shares. Administrative shares are heavily restricted by design and you cannot modify the access on them.
My guess is that the script works when you run it manually is because it's using the current user's credentials for network access when you do that, but don't quote me on that.
The simplest solution with the least amount of change is to do this:
Create a group in Active Directory. Add the Computer accounts, or, preferably, groups with Computer accounts which you want to be able to run the script to this new group. If you really want any SYSTEM account on any computer in the domain to be able to run the script, you can add the "Domain Computers" group to the group.
Create a folder on the server. Put the script in the folder. Don't put anything in this folder you don't want your users to read. Assign the "Read" NTFS permission to the group created above to the folder.
Share the folder out. Grant the group you just created the "Full Control" share access. If you want, you can make it a hidden share by adding a dollar sign to the end of the name.
Update your scheduled tasks to use \\<servername>\<sharename>\script.ps1.
This is almost certainly not the best method to accomplish what you're actually trying to do, but this is probably the best way to use scheduled tasks running scripts on a network share with the SYSTEM account.

script for Local Security Policy

I'm looking for some guidance on how to automat applying a set of permissions withn the local security policy to a multiple users on multiple servers.
For example, via a script, I want to apply "act as part of the operating system" and "adjust memoroy quotas for a process" to user TEST1 and TEST2.
Any feedback on how to get started would be appreciated. thanks!
From a command line, the Microsoft-provided solution is secedit. AppDeploy is a great resource for packaging in general, and they have a good page on secedit here: http://www.osdeploy.com/tips/detail.asp?id=23
In short, change your policies using the Local Security Settings MMC snap-in, then export with secedit as in this page (http://www.webservertalk.com/message534715.html -- also assuming this computer isn't a member of a domain), then import as usual.
Is this machine domain joined? If so, you'll need to make sure no domain policies are applied. Otherwise the domain policies will be exported along with the local ones.
Simpler answer here:
Scripting Local Security Policy
Use ntrights.exe from the Windows 2003 Resource Kit.
However, this doesn't seem to help with the "adjust memory quotas for a process" right.

Resources