Anne Maire Fierst
asked on
Need a VBScript to extract group policy security settings.
I'm very familiar with extracting information from register keys using VBScript, but I'm having trouble trying to extract a policy security setting on my machine using VBScript. I can get to the information I need using gpedit.msc, and navigating to the folder "Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options", but I need to do this via a script that can be run on the laptop of everyone in my organization (to audit a security setting). I don't want anyone running gpedit.msc on their machines.
I've tried using PowerShell, but I don't want anyone to have to change any settings on their computer (right now the script execution permission on our laptops is "restricted"). I would really like a VBScript that someone can just double-click and have it produce a file that I can then have them send to me. I've searched the internet for hours and cannot find what I'm looking for. Can anyone help?
I've tried using PowerShell, but I don't want anyone to have to change any settings on their computer (right now the script execution permission on our laptops is "restricted"). I would really like a VBScript that someone can just double-click and have it produce a file that I can then have them send to me. I've searched the internet for hours and cannot find what I'm looking for. Can anyone help?
But why are you providing that to anybody, that's a technical support thinking, elevate the thinking into a consultant, you should be able to do this without notifying anybody.
That's not the way to proceed in the Powershell AD world.
You just create a Powershell Script that Searches all that information, test it on your local computer and then.
Deploy it into a GPO in the Computers part as a login script.
Set a shared address like \\server\folder
and use:
That's not the way to proceed in the Powershell AD world.
You just create a Powershell Script that Searches all that information, test it on your local computer and then.
Deploy it into a GPO in the Computers part as a login script.
Set a shared address like \\server\folder
and use:
$Domain ="domain.com"
$path = "\\Server\Shared\$env:computername.HTML"
Import-module GroupPolicy
Get-GPOReport -All -Domain $Domain -ReportType HTML -path $path
#Get-GpoReport -name default_domain_policy -reportType HTML -path $pathASKER
I like that idea! I was asked by a technical support person to develop a script that could be deployed to everyone to retrieve the information he's looking for. I guess the only part that I'm still a little fuzzy on is deploying it as part of a login script...I'm hoping my technical support admin knows how to do that. Let me check with him and I'll get back to you...thanks!
Tell you what. Deploying that as a login script is as easy as it gets, since the GPOs allow to run powershell scripts as logon scripts.
But: The output is huge. For example, for me, it's 17 MB.
To just list what you want, you should query the registry, since most of these settings are registry based.
What particular setting(s) within security options are you looking at?
But: The output is huge. For example, for me, it's 17 MB.
To just list what you want, you should query the registry, since most of these settings are registry based.
What particular setting(s) within security options are you looking at?
ASKER
McKnife, thanks for your comments. What I'm looking for is the following:
Under:
Local Computer Policy
Windows Settings
Security Settings
Local Policies
Security Options...
I need to know the security setting for the policy called "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Role"
Under:
Local Computer Policy
Windows Settings
Security Settings
Local Policies
Security Options...
I need to know the security setting for the policy called "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Role"
That's a one-liner:
The results look like this:
ConsentPromptBehaviorAdmin
The possible values are:
0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop (this is what my result example shows by 0x2)
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ | findstr ConsentPromptBehaviorAdmin>>\\server\share\%computername%.txtThe results look like this:
ConsentPromptBehaviorAdmin
The possible values are:
0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop (this is what my result example shows by 0x2)
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
ASKER
Thanks, McKnife! Hoping to get time to implement this...will let you know how it goes, and then I'll mark it as my solution.
Just add that code to your batch logonscript or startup script.
For it to work, you need to supply a share \\server\share\ that is writable for users (write-only would be best, readable only by admins) or the authenticated users group.
Inside that share, you'll find result files, one per machine.
For it to work, you need to supply a share \\server\share\ that is writable for users (write-only would be best, readable only by admins) or the authenticated users group.
Inside that share, you'll find result files, one per machine.
ASKER
Wonderful! Thanks!
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
The method seems weird. What setting do you want to audit? I guess there will be an easier way to achieve that.