上一篇,田總手把手給指導了如何實現多跳,手動實現的,沒有問題。但是機器衆多,這一篇我們用命令來實現組策略的修改。
首先,Powershell不是萬能的,Powershell是可以獲取到域的組策略(GPO),並且權限足夠還可以修改,但是,本地策略(Local Computer Policy)策略則無法獲取到。Google上好多answer建議去修改pol文件。但是他打開很難讀。也有好多好多人建議用這個第三方插件來編輯,但是這個插件首先在window server 2016上就不支持,作者也早就不維護了。
竟然,組策略的值是會保存在註冊表裏的,下圖有關的設置,就可以在HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly
這裏找到
既然如此,根據需要直接修改註冊表就好。所以上篇文章的方法可以全自動實現。
$getTrustedHosts = Get-Item WSMan:\localhost\Client\TrustedHosts
if ($getTrustedHosts -ne $null -and $($getTrustedHosts.value) -eq "*") {
Write-Host "Has already set the local trustedHost."
}
else {
Set-Item WSMan:\localhost\Client\TrustedHosts -value * -Force | out-null
write-host "Successfully set the local trustedHost"
}
if(test-path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"){
write-host "AllowFreshCredentialsWhenNTLMOnly exists in the registry"
$obj = get-itemproperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"
if($obj.1){
write-host "The computer policy is working well"
}else{
new-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-null
write-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"
}
}else{
new-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -name "AllowFreshCredentialsWhenNTLMOnly" -value "1" | out-null
new-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-null
write-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"
}
$targetmachine ="vmaosupse2"
Enable-WSManCredSSP -Role "Client" -DelegateComputer * -force | out-null
$secPassword = ConvertTo-SecureString "guguji5" -AsPlainText -Force
$cred = New-Object system.Management.Automation.PSCredential("advent\axyssu", $secPassword)
invoke-Command -ComputerName $targetmachine -Credential $cred -ScriptBlock {
Enable-WSManCredSSP -Role "Server" -force | out-null
}
invoke-Command -ComputerName $targetmachine -Credential $cred -Authentication Credssp -ScriptBlock{
$path = "\\cosmoxydev8\c$\Moxy"
get-childitem -path $path
}
必須要知道的事:雖然組策略是存在註冊表,組策略的修改,會同步的保存到註冊表,但是,大部分註冊表的修改不會同步到組策略。儘管它會生效,但是在組策略面板裏看到的還是舊的值。