Finally, let’s talk about group strategy. Group policy is an important means to establish a Windows security environment, especially in Windows domain environments. An excellent system administrator should be able to master and apply group policies proficiently. Use it to access Group Policy in the window interface and use it to the command line.
Let's look at the syntax of the secedit command:
secedit /analyze
secedit /configure
secedit /export
secedit /validate
secedit /refreshpolicy
The functions of the 5 commands are to analyze group policies, configure group policies, export group policies, verify template syntax, and update group policies. Among them, secedit/refreshpolicy is replaced by gpupdate under XP/2003. You can see the specific syntax of these commands by checking them at the command line.
Unlike accessing the registry, in addition to having a template file (or inf), accessing the group policy also requires a secure database file (sdb). To modify a group policy, you must first import the template into the secure database, and then refresh the group policy by applying the secure database. Let’s take a look at an example:
Suppose I want to set the minimum password length value to 6 and enable "Password must meet the complexity requirements", then write this template first:
[version]
signature="$CHICAGO$"
[System Access]
MinimumPasswordLength = 6
PasswordComplexity = 1
Save as, and import:
secedit /configure /db /cfg /quiet
After this command is executed, a one will be generated in the current directory, which is the "intermediate product" and you can delete it.
The /quiet parameter indicates "quiet mode" and does not generate logs. But according to my experiments, this parameter does not seem to work under 2000sp4, and is normal under XP. The logs are always saved in %windir%\security\logs\. You can also specify the log yourself so that you can delete it later. for example:
secedit /configure /db /cfg /log
del gp.*
In addition, before importing the template, you can also analyze whether the syntax is correct:
secedit /validate
So, how do you know the specific syntax? Of course, I'll look for it in MSDN. There are also ways to be lazy, because the system comes with some security templates, in the %windir%\security\templates directory. Opening these templates basically contains the commonly used security settings syntax, you can understand it at a glance.
Let me give you another example - close all "audit policies". (The events it reviews will be recorded in the "security" of the event viewer).
echo version:
echo [version] >
echo signature="$CHICAGO$" >>
echo [Event Audit] >>
echo AuditSystemEvents=0 >>
echo AuditObjectAccess=0 >>
echo AuditPrivilegeUse=0 >>
echo AuditPolicyChange=0 >>
echo AuditAccountManage=0 >>
echo AuditProcessTracking=0 >>
echo AuditDSAccess=0 >>
echo AuditAccountLogon=0 >>
echo AuditLogonEvents=0 >>
secedit /configure /db /cfg /log /quiet
del 1.*
Some people may say: Isn’t Group Policy saved in the registry? Why not modify the registry directly? Because not all group policies are saved in the registry. For example, "audit strategy" is not. You can use regsnap to compare the registry changes before and after modifying the policy. My test results were nothing changed. Only the "Administrative Templates" section is entirely based on the registry. Moreover, if you know the specific location, it is not complicated to use any method.
For example, the "Local Policy"-" security option of XP and 2003 adds a "Local Account Sharing and Security Mode" policy. The default setting under XP is "Guest Only". This is why the IPc$ connected to XP with an administrator account still has only Guest permissions. It can be modified to "classic" by importing the reg file:
echo Windows Registry Editor Version 5.00 >
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>
echo "forceguest"=dword:00000000 >>
regedit /s
del
The corresponding use of inf should be:
echo [version] >
echo signature="$CHICAGO$" >>
echo [Registry Values] >>
echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>
secedit /configure /db /cfg /log
del 1.*
Question about reading group policy from the command line.
The system's default security database is located in %windir%\security\database\, export it to the inf file:
secedit /export /cfg /log
If the /db parameter is used to specify the database, the default is used. Then check it out.
However, all this is obtained is only part of the Group Policy (i.e. "Windows Settings"). Moreover, a certain policy will not be exported if it is not configured. For example, "Rename the system administrator account", if it is defined, NewAdministratorName="xxx" will appear in the inf file. For other group policies that cannot be exported, they can only be obtained by accessing the registry.
This method is invalid in XP and 2003 - it can be exported but the content is basically empty. The reason is unknown. According to official information, XP and 2003 show that Group Policy uses RSoP (Group Policy Result Set). The corresponding command line tool is gpresult. However, it gets a group policy attached (from the domain) when the system starts, and the stand-alone test results are still "empty". So, if you want to know whether some group policies are set, you can only write an inf first, then use secedit /analyze, and then view the log.
Previous page123456Next pageRead the full text