Windows Advanced audit settings for ALL powershell terminals - powershell

On powershell I have the command to view the advanced audit settings from a registry key only by running as administrator, by running
(get-acl hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -audit).GetAuditRules($true,$true,[System.Security.Principal.NTAccount])
I was wondering if there's an alternative way of doing this on the regular powershell terminal? as when i try with the command above i get this output get-acl : Attempted to perform an unauthorized operation.

I think you need to give yourself the 'Manage auditing and Security log' (SeSecurityPrivilege) user privilege to do that.
Open Group Policy editor (Windows + R and type
gpedit.msc for the local machine)
Go to Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> User
Rights Assignment
Double-click the 'Manage auditing and Security log'
entry and add yourself to the users having that privilege.
You'll probably have to log off and back on before the new setting becomes active.
It can also be done using Powershell. I found a module cSecurityOptions and also Carbon has a function called Grant-Privilege. I haven't tried though..
Hope this helps

Related

how can i edit something in gpedit.msc with cmd/batchscript

My main problem is I am facing the problem ->
when i am trying to execute my exe file (which i written and compiled in C using GCC). I have found the solution and the solution is to change some of the settings under gpedit.msc
run -> gpedit.msc -> computer configuration -> windows settings -> security settings ->
local policies -> security options
there are multiple files. I just want to edit files whose name starts with "User Account Control: "
Either i want to enable or disable them. How can i do that programatically using cmd/batch script?
till now i have found secdit but that does not edit the values. link -> scroll down little bit and you will find secedit. I also used resource monitor to observe registry changes when i disable something according to this link -> Use Process Monitor to Find Registry Changes. But nothing shows up. Somewhere in the internet i also found that security policies are not always associated with registry values. But i forgot to save the link. I also found this stackoverflow article Modify Local Security Policy using Powershell
. But i can't understand anything as i know nothing about powershell programming and secedit or "how to edit database". Please provide some juicy resources to learn about editing security policies.
For your information i am building my program.exe in my local computer (house pc) and transferring the generated exe in "Amazon EC2 instance". If you say compile the program in "Amazon EC2" RDP i will say that i dont need to do that because my program.exe is running fine in "Amazon EC2" if i disable or enable some of the "User Account Control: " settings
Here is everything I wanted to know -> Registrykey Values Associated with local policies and thanks to -> Grzegorz Ochlik.

How to use Powershell method or any other batch method to modify a LOCAL group policy?

SCCM is the method we deploy Windows updates to clients. We have a portion of computers that have a local group policy setting under:
Local Computer policy > Administrative Templates > Windows Components > Windows update
The setting is called "Specify intranet Microsoft update service location"
Basically the wuahandler.log is complaining of :
Enabling WUA Managed server policy to use server: http://servername.domain.local:8530
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://servername.domain.local:8531 and Policy ENABLED
Failed to Add Update Source for WUAgent of type (2) and id ({C2F93D44-EAB3-4D5E-9330-7806157D92AD}). Error = 0x87d00692.
I can see that for whatever reason SCCM is not modifying the local group policy and its causing a conflict.
The pc's that have no issue have both the local group policy and policies under hklm > policies > windows update as the correct name (with port 8531).
I am basically asking how can i change the "specify intranet microsoft update service location ' using powershell or an automated method to remediate the 300 pc's that have a mismatched port number. modifying the HKLM keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ive already taken care of. But this is not doing anything to resolve my issue.
any help would be appreciated.
There are many articles all over the web on using PowerShell and local policy management. Just search for them. Using a string like 'PowerShell manage local policy' and you will get a long list to consume.
There is even a module via the MS PowershellGallery.com for Local Policy Management.
Find-Module -Name 'PolicyFileEditor' |
Save-Module -Path "$env:USERPROFILE\Documents\WindowsPowerShell\Modules" -Force
Install-Module -Name 'PolicyFileEditor'
And blogged about its use is here:
How to manage Local Group Policy with Powershell
You can even just secedit.
Take a look at this Q&A
So, sure you can mess with Local Policy, be if your SCCM settings getting overridden by a higher authority, then any setting you'd do wit PowerShell would as well.
Please make sure that in case of SCCM/MECM or installations with system user (NT-Authority\System) you do not use -Scope CurrentUser, otherwise you will have the same problem as described here: https://github.com/PowerShell/PowerShellGetv2/issues/651
In a system context Install-Module does not create a Documents folder in the system profile if -Scope CurrentUser is used.
If you want to use -Scope CurrentUser anyway, you have to create the folder "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules" or at least "C:\Windows\system32\config\systemprofile\Documents" first, so that the module is installed for the system user.

Windows Server 2012 local policy settings through PowerShell

I am working on automating group policy settings using PowerShell in Windows Server 2012 R2.
I have lot of local group policy settings to achieve through PowerShell.
As an example I am showing this
Press Windows key > type Run and type gpedit.msc. Expand Computer
Configuration > Windows Settings > Security Settings >
Account Policy > Password Policy or Account Lockout Policy container
In this I need to enable the setting called Passwords Must Meet Complexity Requirements using PowerShell.
I achieved automating services start-up type using the cmdlets.
As an example
Set-Service -name vds -StartupType disabled
But I am struggling to start with local group policy settings.
I have also attached a screenshot regarding this.
If anyone have any idea on this Please help me.

How to set Group Policy "Turn Off Automatic Root Certificates Update" vie Registry/Powershell?

I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:
"Turn Off Automatic Root Certificates Update"
Does anybody know which registry key needs to be set or unset in order to make this work?
I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.
This was causing a delay of a full minute when the initial request was made
It ran in WinPE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
The registry value you are looking for is
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD DisableRootAutoUpdate = 1
Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update
To turn off Automatic Root Certificates Update via Local Group Policy Editor:
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.
Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.

Set Event Log settings via GPO

How would I set the "overwrite as needed" setting on Event logs other than Application/Security/System? Specifically I'd like to apply this to the Powershell and Windows Powershell Logs, in addition to any other future logs that may be added. This needs to be applied to both server 2003 & 2008.
Wow. I looked around on this and can't find any references to set GPO settings for event logs other than for System, Application, Security. That just seems wrong. You will have to script it for your domain or workgroup or workstation with wevtutil.exe (cmd) or limit-eventlog (powershell). Both utilities have remote connection built in.
wevtutil sl <Log Name> /rt:false
limit-eventlog -Log Name -OverFlowAction OverwriteAsNeeded
I don't believe their is a GPO for this. But most group policies simply modify the registry.
You could create an adm template that modified the settings, or you could simply write a script to adjust the settings.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\PowerShell
If you are not sure how to manually configure the settings, simply adjust the settings in the event log GUI, and set all your other systems to be the same. You may need to restart the system for the changes to go into effect.
Right now you'd need to use SDM Software's GPO cmdlets. That's the only way from within PowerShell to modify the settings within a GPO. But there's no way that I know of to make a change to "any logs which might be added" - I don't think you can modify the system defaults (although I could be wrong - it's not something I've done much).
Computer Configuration-->Windows Settings-->Security Settings-->Event Log