I am working on automating group policy settings using PowerShell in Windows Server 2012 R2.
I have lot of local group policy settings to achieve through PowerShell.
As an example I am showing this
Press Windows key > type Run and type gpedit.msc. Expand Computer
Configuration > Windows Settings > Security Settings >
Account Policy > Password Policy or Account Lockout Policy container
In this I need to enable the setting called Passwords Must Meet Complexity Requirements using PowerShell.
I achieved automating services start-up type using the cmdlets.
As an example
Set-Service -name vds -StartupType disabled
But I am struggling to start with local group policy settings.
I have also attached a screenshot regarding this.
If anyone have any idea on this Please help me.
Related
Objective
Local User Password change without admin rights -> Powershell AD Methods
Logging on a distant PC using Remote Desktop Connection (RDP), on this PC the password shall be changed
Problem
AD Module not recognized (cmdlet... error)
Installed RSAT AD LDS via RDP and the windows "manage optional features" approach
RSAT AD LDS is installed
Powershell still does not know about AD module (get-aduser not working)
Activated LDS in "turn on/off features" (https://i.ibb.co/WxF35VD/Capture.png)
Powershell still does not find AD module (get-aduser not working)
Listing "Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State" reveals that AD LDS tools are installed
Question
Somehow, the tools are installed but there is no ActiveDirectory module in the powershell folder
Am I missing a point somewhere?
• AFAIK, you won’t be able to make changes, i.e., add the RSAT roles required through ‘Programs and features’ section in Control Panel from Windows 8 and later versions. For this purpose and more clarity, kindly refer to the official documentation below for details: -
https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools
Thus, if your client Windows systems version is beyond Windows 8, then you would not be able to install the various roles and features as required under the ‘RSAT’ feature of optional feature in the Control Panel, rather you would need to install the RSAT’s various features regarding Windows Server roles through ‘Start --> Settings --> Apps --> Apps and Features --> Optional features’ section. Hence, from here, you can install any RSAT feature that you want to in your Windows 10 client system.
• Would suggest you to please execute the below cmdlet through an elevated console of Powershell on your Windows 10 client system and check again. It should be installed successfully. Also, do not forget to restart the system once the RSAT roles have been installed successfully, it would help to get the modified registry flags to get into effect: -
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Once the above command has been executed successfully, please ensure that the below commands also get executed successfully. They will ensure that the ‘Active Directory’ module, if not present in the client system will be imported from the online Microsoft CDN library and installed.
Get-Module -Name ActiveDirectory -ListAvailable
Import-Module -Name ActiveDirectory
• You can also log into a distant PC using Remote Desktop Connection through your Windows 10 client system and change the password on that system by making a GPO (Group Policy Object) in your central policy server and set the policy as below to allow the users to access powershell without administrator privileges: -
Default domain policy/New GPO --> Edit --> Computer Configuration -->
Policies --> Windows Settings --> Security settings --> Restricted groups --> Remote Management Users --> Click on ‘Add’ --> Select the users from Active Directory --> Ok
Once you do this, then ensure that this policy is pushed on all the systems where you want users to run powershell remotely with administrator privileges. You can also add those users in a group and then add that group as a member of the ‘Remote management users’ group through group policy.
• You can check the permissions of a powershell session through the below command which clearly states that ‘Remote Management users’ are allowed access to the powershell session remotely. Please note that Windows Remote Management service needs to be started and run for the below command to run successfully and provide you with results.
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
I am trying to enable group policy settings, but not able to figure out how to do it.
tried :
1) get-command grouppolicy, but throws error.
2) not able to import GPO.
Can we do this using pure powershell script.
Thanks in advance.
You will need to install RSAT (Remoter Server Administration Tools) in order to have access to the Group Policy cmdlets.
You can find more information about the cmdlets here:
https://learn.microsoft.com/en-us/powershell/module/grouppolicy/?view=win10-ps
RSAT can be acquired here:
https://www.microsoft.com/en-us/download/details.aspx?id=45520
SCCM is the method we deploy Windows updates to clients. We have a portion of computers that have a local group policy setting under:
Local Computer policy > Administrative Templates > Windows Components > Windows update
The setting is called "Specify intranet Microsoft update service location"
Basically the wuahandler.log is complaining of :
Enabling WUA Managed server policy to use server: http://servername.domain.local:8530
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://servername.domain.local:8531 and Policy ENABLED
Failed to Add Update Source for WUAgent of type (2) and id ({C2F93D44-EAB3-4D5E-9330-7806157D92AD}). Error = 0x87d00692.
I can see that for whatever reason SCCM is not modifying the local group policy and its causing a conflict.
The pc's that have no issue have both the local group policy and policies under hklm > policies > windows update as the correct name (with port 8531).
I am basically asking how can i change the "specify intranet microsoft update service location ' using powershell or an automated method to remediate the 300 pc's that have a mismatched port number. modifying the HKLM keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ive already taken care of. But this is not doing anything to resolve my issue.
any help would be appreciated.
There are many articles all over the web on using PowerShell and local policy management. Just search for them. Using a string like 'PowerShell manage local policy' and you will get a long list to consume.
There is even a module via the MS PowershellGallery.com for Local Policy Management.
Find-Module -Name 'PolicyFileEditor' |
Save-Module -Path "$env:USERPROFILE\Documents\WindowsPowerShell\Modules" -Force
Install-Module -Name 'PolicyFileEditor'
And blogged about its use is here:
How to manage Local Group Policy with Powershell
You can even just secedit.
Take a look at this Q&A
So, sure you can mess with Local Policy, be if your SCCM settings getting overridden by a higher authority, then any setting you'd do wit PowerShell would as well.
Please make sure that in case of SCCM/MECM or installations with system user (NT-Authority\System) you do not use -Scope CurrentUser, otherwise you will have the same problem as described here: https://github.com/PowerShell/PowerShellGetv2/issues/651
In a system context Install-Module does not create a Documents folder in the system profile if -Scope CurrentUser is used.
If you want to use -Scope CurrentUser anyway, you have to create the folder "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules" or at least "C:\Windows\system32\config\systemprofile\Documents" first, so that the module is installed for the system user.
On powershell I have the command to view the advanced audit settings from a registry key only by running as administrator, by running
(get-acl hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -audit).GetAuditRules($true,$true,[System.Security.Principal.NTAccount])
I was wondering if there's an alternative way of doing this on the regular powershell terminal? as when i try with the command above i get this output get-acl : Attempted to perform an unauthorized operation.
I think you need to give yourself the 'Manage auditing and Security log' (SeSecurityPrivilege) user privilege to do that.
Open Group Policy editor (Windows + R and type
gpedit.msc for the local machine)
Go to Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> User
Rights Assignment
Double-click the 'Manage auditing and Security log'
entry and add yourself to the users having that privilege.
You'll probably have to log off and back on before the new setting becomes active.
It can also be done using Powershell. I found a module cSecurityOptions and also Carbon has a function called Grant-Privilege. I haven't tried though..
Hope this helps
Salam every body
I need help to learn how
to Install,Configure and Manage dns using only powershell on Windows 2008?
This should get you started.
Installing DNS Server Role via Powershell
Open an elevated Powershell window and enter the following commands.
Import-Module Servermanager
Add-WindowsFeature 'DNS' -restart
For a more general guide about installing server roles via powershell, take a look at this page: Adding Server Roles and Features
On that page, just CTRL+F for Powershell.
Configuring DNS Server Role via Powershell
Since configuration is a very general topic, here's the link to the documentation:
Domain Name System (DNS) Server Cmdlets
You can list all the available commands with Get-Command –Module DnsServer