How can I edit local security policy from a batch file?

Question

I am trying to write a utility as a batch file that, among other things, adds a user to the "Deny logon locally" local security policy. This batch file will be used on hundreds of independent computers (not on a domain and aren't even on the same network).

I assumed one of the following were my options, but perhaps there's one I haven't thought of.

1. A command line utility similar to net.exe which can modify local security policy.

2. A VBScript sample to do the same.

3. Write my own using some WMI or Win32 calls. I'd rather not do this one if I don't have to.

Answer 1

You can use the ntrights utility to edit account privileges.

The user right "SeDenyInteractiveLogonRight" is what you want to edit, likely as part of the computer's logon.

The following command would deny jscott interactive logon:

ntrights -u jscott +r SeDenyInteractiveLogonRight

http://support.microsoft.com/kb/315276

http://ss64.com/nt/ntrights.html

Answer 2

you could export a template using the GUI

make desired changes on reference PC,

SECPOL.MSC > Actions > export Policy > secpol.inf

then use

SECEDIT.exe /IMPORT 

wrap it in your favorite scripting language (Batch, PS, VBScript)

and it will overwrite the current policy

only concern would be if there are issues with overwriting the current policy

I've never done it with security policy, but have before with power profiles, and the process looks almost identical, similar to the NET.exe command.

Answer 3

I looked for so long too. I figured out the answer!

To check the current state :

auditpol /get /subcategory:"Process Creation"

This next line will make the change. It will set the process creation to Enabled.

auditpol /set /subcategory:"Process Creation"

Check the state again and you'll see the change.

Alternatively, you could change all of the "detail tracking" policies, as "process creation" is a subcategory of "detail tracking". Like this:

auditpol /set /category:"Detailed Tracking"