How can I edit local security policy from a batch file?
I am trying to write a utility as a batch file that, among other things, adds a user to the "Deny logon locally" local security policy. This batch file will be used on hundreds of independent computers (not on a domain and aren't even on the same network).
I assumed one of the following were my options, but perhaps there's one I haven't thought of.
A command line utility similar to
net.exe
which can modify local security policy.A VBScript sample to do the same.
Write my own using some WMI or Win32 calls. I'd rather not do this one if I don't have to.
Solution 1:
You can use the ntrights
utility to edit account privileges.
The user right "SeDenyInteractiveLogonRight" is what you want to edit, likely as part of the computer's logon.
The following command would deny jscott interactive logon:
ntrights -u jscott +r SeDenyInteractiveLogonRight
http://support.microsoft.com/kb/315276
http://ss64.com/nt/ntrights.html
Solution 2:
you could export a template using the GUI
make desired changes on reference PC,
SECPOL.MSC > Actions > export Policy > secpol.inf
then use
SECEDIT.exe /IMPORT
wrap it in your favorite scripting language (Batch, PS, VBScript)
and it will overwrite the current policy
only concern would be if there are issues with overwriting the current policy
I've never done it with security policy, but have before with power profiles, and the process looks almost identical, similar to the NET.exe command.
Solution 3:
I looked for so long too. I figured out the answer!
To check the current state :
auditpol /get /subcategory:"Process Creation"
This next line will make the change. It will set the process creation to Enabled.
auditpol /set /subcategory:"Process Creation"
Check the state again and you'll see the change.
Alternatively, you could change all of the "detail tracking" policies, as "process creation" is a subcategory of "detail tracking". Like this:
auditpol /set /category:"Detailed Tracking"