-
Notifications
You must be signed in to change notification settings - Fork 3
/
local_security_policy_update.ps1
69 lines (47 loc) · 2.45 KB
/
local_security_policy_update.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<# .SYNOPSIS
This script will remote into a machine and update the Local Security Policy, it will then change the permissions on
a specified folder. The csv must have 2 coloumns one with SAMaccountName and the other with the users machines name.
#>
foreach($user in (Import-Csv C:\users\joeord\Desktop\user_machines.csv)){
$sid = (get-aduser $user.user).sid.value
Invoke-Command $user.machine -ArgumentList $sid,$user{
param($sid,
$user
)
#sets local policy settings
secedit /export /cfg c:\file1.inf
Get-Content C:\file1.inf |
% {$_ -replace "SeCreateGlobalPrivilege.*", "SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*$($sid),*S-1-5-32-544,*S-1-5-6"} |
Set-Content C:\file2.inf
secedit /import /cfg C:\file2.inf /db C:\file2.sdb
secedit /configure /db C:\file2.sdb
Remove-Item C:\file2.sdb
Remove-Item C:\file1.inf
Remove-Item C:\file2.inf
#looks for and sets folder permissions for folder you would like
function find-path{
$fileName = "FolderName"
Get-ChildItem -Force "c:\" -ErrorAction SilentlyContinue |
? { ($_.PSIsContainer -eq $true) -and ( $_.Name -like "*$fileName*") } |
Select-Object -expand FullName
}
foreach($folder in find-path){
Write-Output "Setting permissions on $env:COMPUTERNAME for FolderName on $folder"
$acl = Get-Acl $folder
$myGroup = "CORPORATE\$($user.user)"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "Write", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "ListDirectory", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myGroup", "FullControll", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder $acl
}
}
}