最近公司為了加強資安
新增了很多安全規定
而我們身為資訊人員
要協助全公司的電腦進行設定
我們要設定包含密碼原則裡的密碼必須符合複雜性需求、最短密碼、密碼最長期限及強制執行密碼歷程記錄
為了加快設定速度 我想做成指令檔(.bat)
請問該怎麼寫
我目前已經可以用 net account 的指令完成最短密碼跟密碼最長期限
但另外兩個一直不知道該如何寫
Google 大神也找不到
還請各位前輩給小弟指教!
已邀請的邦友 {{ invite_list.length }}/5
請參考:
用法:
1.將底下內容複製到.bat檔中,再對要修改的項貝進行編修,完成後存檔
2.每一行開頭為 ::# 的將會被處理,若是沒有要變更的項目需將 ::# 改成 ::
3.操作記錄中會有錯誤訊息,如該訊息與進行設定的項目無關可略過不理
PS.沒有註解的部份可上網查下什麼項目對應什麼
::指令操作本機原則設定
@Echo Off
Fsutil File Layout "%SystemRoot%\Explorer.exe">Nul 2>Nul||(Echo.&Echo.&Echo 注意!動作未完成,請用右鍵以系統管理員身分執行&Echo.&Echo.&Echo.&Echo.&Pause&Exit)
Set TempTable=%~dp0Temp%RANDOM%
Set TempCfg=%~dp0Cfg%RANDOM%
TaskList /FI "IMAGENAME EQ MMC.EXE"|Findstr /i "MMC.EXE">Nul&&(
Echo. !Microsoft Management Console 可能影響程式的執行!
Echo. --------------------------------------------------------------------
Echo. 偵測到 Microsoft Management Console 己開啟!
Echo. 是否要中止 Microsoft Management Console ?
Echo. 60秒未選擇將退出程式。
Echo.
Choice /T 60 /D N /M 中止MMC:
If %ErrorLevel% EQU 2 Exit
TaskKill /FI "IMAGENAME EQ MMC.EXE"
TimeOut /NoBreak /T 1 >Nul
TaskList /FI "IMAGENAME EQ MMC.EXE"|Findstr /i "MMC.EXE">Nul&&(
Echo.&Echo.&Echo.&Echo.&Echo.
Echo. 無法中止 Microsoft Management Console !
Echo. 請查明 Microsoft Management Console 無法關閉原因後再執行一次。
Echo.
Echo. 或許是子窗視忘了關閉 :^)
Echo.
Pause
Exit
)
)
(
Echo [Unicode]
Echo Unicode=yes
Echo [Version]
Echo signature="$CHICAGO$"
Echo Revision=1
)>"%TempCfg%"
For /f "delims=:# Tokens=*" %%w In ('Findstr /b "::#" "%~0"') Do Echo %%w>>"%TempCfg%"
Esentutl /Y "%SystemRoot%\security\database\secedit.sdb" /D "%TempTable%"
SecEdit /Configure /Cfg "%TempCfg%" /DB "%TempTable%" /Log "%TempCfg%.log"
Del /Q "%TempCfg%" "%TempTable%.jfm" "%TempTable%"
Cls&Echo.&Echo.&Echo.&Echo.
Echo. [設定已完成]
Echo. 請重開機使設定生效,是否要重開機?
Echo. 如要自動重開機,請確定檔案都已存檔,否則請選擇 [N] 選擇手動重開機
Echo. 如要查看設定記錄請開啟 [%TempCfg%.log] 查看
Echo. 記錄檔中可能有錯誤訊息,非所設定項目可略過該錯誤訊息。
Echo. 60秒後未選擇自動退出。
Echo.
Choice /T 60 /D N /M 重開機?:
If %ErrorLevel% EQU 2 Exit
Shutdown -f -r -t 0
Exit
::以下供編修要變更的項目,開頭為 ::# 表示要進行處理的項目,如要編修請依樣畫葫蘆
::相同區段資料必須寫在同一區段內
::#[System Access]
::密碼最短使用期限
::#MinimumPasswordAge = 0
::密碼最長使用期限
::#MaximumPasswordAge = 42
::密碼長度最小值
::#MinimumPasswordLength = 0
::密碼必須符合複雜性要求
::#PasswordComplexity = 0
::強制執行密碼歷程記錄
::#PasswordHistorySize = 0
::帳戶鎖定閾值
::#LockoutBadCount = 20
::重設帳戶鎖定計數器的時間
::#ResetLockoutCount = 30
::帳戶鎖定時間
::#LockoutDuration = 30
::要求登錄才能更改密碼(己失效)
::#RequireLogonToChangePassword = 0
::是否啟用強制斷開 SMB 使用者 Session ;DC Only
::#ForceLogoffWhenHourExpire = 1
::使用可還原的加密來存放密碼
::#ClearTextPassword = 0
::允許匿名使用者查詢 LSA
::#LSAAnonymousNameLookup = 0
::指定系統管理員帳戶
::NewAdministratorName = "Administrator"
::指定系統管理員帳戶 ;DC Only
::NewAdministatorName =
::指定GUEST帳戶
::NewGuestName = "Guest"
::指定GUEST帳戶 ;DC Only
::NewGuestName =
::是否啟用管理員帳戶
::EnableAdminAccount = 0
::是否啟用GUEST帳戶
::EnableGuestAccount = 0
::#[System Log]
::日誌檔案大小
::MaximumLogSize = 20480
::日誌留存方式 [0-依需求覆蓋 1-依保留天數覆蓋 2-手動刪除日誌]
::AuditLogRetentionPeriod = 0
::日誌保留天數1-365
::RetentionDays = 7
::GUEST 是否能查看日誌 [0-不受限 1-限制]
::RestrictGuestAccess = 1
::#[Security Log]
::日誌檔案大小
::MaximumLogSize = 20480
::日誌留存方式 [0-依需求覆蓋 1-依保留天數覆蓋 2-手動刪除日誌]
::AuditLogRetentionPeriod = 0
::日誌保留天數1-365
::RetentionDays = 7
::GUEST 是否能查看日誌 [0-不受限 1-限制]
::RestrictGuestAccess = 1
::#[Application Log]
::日誌檔案大小
::MaximumLogSize = 20480
::日誌留存方式 [0-依需求覆蓋 1-依保留天數覆蓋 2-手動刪除日誌]
::AuditLogRetentionPeriod = 0
::日誌保留天數1-365
::RetentionDays = 7
::GUEST 是否能查看日誌 [0-不受限 1-限制]
::RestrictGuestAccess = 1
::#[Event Audit]
::稽核系統事件
::AuditSystemEvents = 0
::稽核登錄事件
::AuditLogonEvents = 0
::稽核物件存取
::AuditObjectAccess = 0
::稽核特權使用
::AuditPrivilegeUse = 0
::稽核原則更改
::AuditPolicyChange = 0
::稽核帳戶管理
::AuditAccountManage = 0
::稽計存取目錄服務
::AuditProcessTracking = 0
::稽核 DS 存取
::AuditDSAccess = 0
::稽核帳戶登錄事件
::AuditAccountLogon = 3
::#[Registry Values]
:: Registry value name in full path = Type, Value
:: REG_SZ ( 1 )
:: REG_EXPAND_SZ ( 2 ) // with environment variables to expand
:: REG_BINARY ( 3 )
:: REG_DWORD ( 4 )
:: REG_MULTI_SZ ( 7 )
::MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
::MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
::MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5
::MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
::MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
::MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
::MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
::MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
::MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
::MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
::MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
::MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
::MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
::MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
::MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
::MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
::MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
::MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
::MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
::MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
::MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
::MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
::MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
::MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
::MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
::MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
::MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
::MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
::MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
其實...先把一台做好了..把對應的登錄檔滙出...然後滙入到其它就好了....就不用寫那麼長的BATCH吧...慢的就GOOGLE下群組原則對應的登錄值... 快的就找個REG SCNNAER 之類的軟件, 設定前後做一次對比,找出對應登錄值
iThome鐵人賽
看影片追技術