programming4us
programming4us
SECURITY

Windows Server 2008 and Windows Vista : GPO Security (part 2)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

4. SetGPOPermissionsBySOM.wsf

This script grants the specified permission for the security principal specified to all GPOs in the SOM of the site, domain, or organizational unit targeted. Complete control is allowed with this script and switches; the Replace, None, and Recursive options allow you to tailor your permission and scope of the permission.

Syntax

Usage: SetGPOPermissionsBySOM.wsf SOM Group /Permission:value [/Replace] [/Recursive]
[/Domain:value]
SOM: Name of the site, domain, or OU to process.
Group: Name of the group or user to grant permissions to.
Permission: Permission to grant. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
Replace: Replaces any existing permissions for the specified trustee. Otherwise, the script
simply ensures that the trustee has at least the permission level specified.
Recursive: Applies the changes to all child OUs as well.
Domain: DNS name of domain.


Example & Output

This example contains an error. The /Recursive switch was used, but there was not a linked GPO in Test OU.

cscript SetGPOPermissionsBySOM.wsf Servers "Server Operators" /Permission:Read /Recursive
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Updating all GPOs linked to OU Servers to give Read rights to Server Operators

Updating all GPOs linked to OU Model Office to give Read rights to Server Operators

Updating permissions on linked GPO 'Hardened Server GPO'

Updating all GPOs linked to OU Production to give Read rights to Server Operators
Updating permissions on linked GPO 'Hardened Server GPO'

Updating all GPOs linked to OU Test to give Read rights to Server Operators
Error getting SOM CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com

5. SetSOMPermissions.wsf

This script targets the delegation that can be set for the Active Directory nodes where you can link GPOs. Because this is a function that affects only the appropriate permissions, there must be a domain controller running Windows Server 2003 or Windows Server 2008 so you can leverage the RSoP Planning permission.

Syntax

Usage: SetSOMPermissions.wsf SOM Group /Permission:value [/Inherit] [/Domain:value]
SOM: Name of the site, domain, or OU to process.
Group: Name of the group or user to grant permissions to.
Permission: Permission to grant. Can be "LinkGPOs," "RSoPLogging," "RSoPPlanning," "All,"
or "None."
Inherit: Specifies that the permission should be inherited by all child containers.
Domain: DNS name of domain.


Example #1 & Output

In Example#1, you add RSOPLogging to all of the GPOs for the Server Operators group. In Example#2, you add RSOPPlanning to all of the GPOs for the Server Operators group.

cscript SetSOMPermissions.wsf Servers "server operators" /Permission:RSOPLogging /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the 'RSoP Logging Mode' permission for server operators.


Example #2 & Output

cscript SetSOMPermissions.wsf Servers "server operators" /Permission:RSOPPlanning /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the 'RSoP Planning Mode' permission for server operators.


Direct from the Source: The Scripting Group Policy Landscape

GPMC provides an important interface into Group Policy management. You may be familiar with the GPMC GUI, but the GPMC scripts provide a great tool for automating management of Group Policy objects themselves. All of the tasks that you can perform with the GUI can also be automated by using the supplied GPMC scripts; you can also create custom scripts by using the scripting model that GPMC provides. Automation tasks also include management of GPOs as a whole. That is, you create and delete GPOs, link them to Active Directory containers, back them up and restore or import them, and even generate Group Policy Results reports—all from scripts.

If you are a Windows PowerShell scripter, you can also leverage the GPMC scripting interfaces from that scripting environment, because they are just COM objects that you can call directly from your Windows PowerShell scripts by using the New-Object cmdlet. In addition, a set of free Windows PowerShell cmdlets makes it easy to leverage much of the GPMC functionality from Windows PowerShell. You can find these at www.sdmsoftware.com/freeware.php.

The GPMC is lacking, however, when it comes to modifying the settings within GPOs via scripts or some other automated mechanism. There are no scripting interfaces into Group Policy settings. Microsoft does provide the IGroupPolicyObject C++ interface (for more details, you can search for that interface name on http://msdn.microsoft.com) for programmatically accessing some parts of Group Policy, namely registry policy, but this interface is not easily accessible via Microsoft Visual Basic, Scripting Edition (VBScript) or other COM-based scripting languages.

The SDM Software GPExpert™ Scripting Toolkit for PowerShell exposes Group Policy settings to scripting interfaces. It supports VBScript (although it is designed to work primarily with Windows PowerShell), and it provides a mechanism for reading, searching, and writing settings within most of the supported policy areas in Windows Vista, Windows XP, Windows Server 2003, and Windows Server 2008.

Other  
  •  Windows Server 2008 and Windows Vista : Advanced Group Policy Management Delegation - Approving, Reviewing
  •  Windows Server 2008 and Windows Vista : Advanced Group Policy Management Delegation - Full Control, Editing
  •  Windows Server 2008 and Windows Vista : Group Policy Management Console Delegation - Modeling GPOs, RSoP of GPOs
  •  Windows Server 2008 and Windows Vista : Group Policy Management Console Delegation - Managing GPOs, Editing GPOs
  •  Windows Server 2008 and Windows Vista : Group Policy Management Console Delegation - Linking GPOs
  •  Windows Server 2008 and Windows Vista : Group Policy Management Console Delegation - Creating GPOs
  •  Windows Server 2008 and Windows Vista : Security Delegation for Administration of GPOs - Default Security Environment
  •  Programming WCF Services : Security - Intranet Application Scenario (part 7) - Identity Management, Callbacks
  •  Programming WCF Services : Security - Intranet Application Scenario (part 6) - Authorization
  •  Programming WCF Services : Security - Intranet Application Scenario (part 5) - Impersonation - Impersonating all operations, Restricting impersonation
  •  
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us
    programming4us
     
     
    programming4us