Powershell如何修改组策略（group policy）

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/baidu_35407267/article/details/79700790

上一篇，田总手把手给指导了如何实现多跳，手动实现的，没有问题。但是机器众多，这一篇我们用命令来实现组策略的修改。

首先，Powershell不是万能的，Powershell是可以获取到域的组策略(GPO)，并且权限足够还可以修改，但是，本地策略（Local Computer Policy）策略则无法获取到。Google上好多answer建议去修改pol文件。但是他打开很难读。也有好多好多人建议用这个第三方插件来编辑，但是这个插件首先在window server 2016上就不支持，作者也早就不维护了。

竟然，组策略的值是会保存在注册表里的，下图有关的设置，就可以在HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly这里找到

既然如此，根据需要直接修改注册表就好。所以上篇文章的方法可以全自动实现。

$getTrustedHosts = Get-Item WSMan:\localhost\Client\TrustedHosts
if ($getTrustedHosts -ne $null -and $($getTrustedHosts.value) -eq "*") {
    Write-Host "Has already set the local trustedHost."
}
else {
    Set-Item WSMan:\localhost\Client\TrustedHosts -value * -Force | out-null
    write-host "Successfully set the local trustedHost"
}
if(test-path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"){
    write-host "AllowFreshCredentialsWhenNTLMOnly exists in the registry"
    $obj = get-itemproperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"
    if($obj.1){
        write-host "The computer policy is working well"
    }else{
        new-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-null
        write-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"
    }
}else{
    new-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -name "AllowFreshCredentialsWhenNTLMOnly" -value "1" | out-null
    new-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-null
    write-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"
}
$targetmachine ="vmaosupse2" 
Enable-WSManCredSSP -Role "Client" -DelegateComputer * -force | out-null
$secPassword = ConvertTo-SecureString "guguji5" -AsPlainText -Force
$cred = New-Object system.Management.Automation.PSCredential("advent\axyssu", $secPassword)

invoke-Command -ComputerName $targetmachine -Credential $cred -ScriptBlock {
    Enable-WSManCredSSP -Role "Server" -force | out-null
}

invoke-Command -ComputerName $targetmachine -Credential $cred -Authentication Credssp -ScriptBlock{
    $path = "\\cosmoxydev8\c$\Moxy"
    get-childitem -path $path
}

必须要知道的事：虽然组策略是存在注册表，组策略的修改，会同步的保存到注册表，但是，大部分注册表的修改不会同步到组策略。尽管它会生效，但是在组策略面板里看到的还是旧的值。