-2

I am looking for a method to access and modify local group policy settings in a PC programatically.

For example, if I want to check / modify a value for a setting

"Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Logon Events" (Path taken from gpedit), I should be able to query it over a command line or set a value to it without the gpedit or any other native GUI interface.

Possible methods that I could think that might solve this problem were either of the following two:-

1. A programming interface for Local Group Policy Setting manipulation 

Based on my search 

i. There were no official documentation or tools from Microsoft that could query and manipulate a given setting in Local Security Policy. 

ii. The closest I could get was a vendor named sdmsoftware (Link:- https://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/) who provides a powershell interface for manipulating the Local group policy. Since the company I work is just a startup, we cant invest on any tools right now. Hence buying something is out of scope.I am looking for a freeware / OSS / any work-around to achive this.

2. A mapping file consisting of All Local Security Settings mapped to a corresponding registry key or a file path. So that the same registry keys or file can be used to directly query or modify a security setting. 

Based on my search 

i. I found a list given by Microsoft which gives a corresponding  registry key to some of the Local Security Policy settings. However , the list does not contain mappings of all Local Security Settings.
(Link:- www . microsoft . com /en - us / download / details . aspx ? id=25250)

I understand that the querying task can be done by exporting the result using gpresult and parsing it but however the same is not possible for modification. I also tried testing and analysing the following Microsoft Tools to somehow get the path of various local group policy settings by monitoring under tools like PSmon for seeing what files were being opened and what registries were being queried etc. :-
a) Security Compliance Manager (Link :-technet. microsoft . com / en-us / solutionaccelerators / cc835245 . aspx)

b) Microsoft Security Compliance Toolkit (Link :-www. microsoft. com / en-us / download/confirmation.aspx ? id=55319&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1)

However , it did not yield any result could also be becauase I might have not analysed them properly.

I would like to know if there are any documents / articles / a free ( free as in free beer) programming interface for Local Security policy / any work around hack that can allow me to edit and query local group settings programatically.

Thanks in advance.

m0ksh4
  • 7
  • 7
  • Why don't you just use GP to edit GPOs? – Maximilian Burszley Aug 27 '17 at 16:07
  • @TheIncorrigible I assume by GP you mean to say gpedit.I would have to prepare a report on a periodic basis for a given set of configurations and remediation based on my heads' wish. And we have around 100 systems. And using a gui and modifying settings in each system is not possible. Hence this approach. – m0ksh4 Aug 27 '17 at 19:43
  • No, I meant group policy. Using the group policy server mmc. – Maximilian Burszley Aug 27 '17 at 19:44
  • The systems are in workgroup mode and we don't have a domain controller yet. If that would have been there, it would easily solve this problem. Though it looks stupid, its management decision and there isn't much I can do. I might be wrong but I understand GP server mmc works only for Domain and not workgroup. Hence I thought this would be a way forward. Also edited the title now as it was a bit misleading. Thanks – m0ksh4 Aug 28 '17 at 07:03

1 Answers1

0

Unfortunately not every setting in the Security Settings is accessible in the same way.

As you already said, you can set most settings in the registry. If not, it highly depends on the setting you want to modify. For instance you can use:

Afaik there is no solution for all settings. If you need to modify another setting, you should ask for this specific setting, to find a programmatical way solution for it.

vrdse
  • 2,899
  • 10
  • 20