Powershell – How to locate Registry key for Group policy settings

automationgroup-policypowershellwindows-server-2016

How can I locate the registry entry for the below values

Perform volume maintenance tasks
Lock pages in memory

under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\User Rights Management .

I tried the below 3 ways.

Find the Registry key for corresponding Group Policy : (1)Final Link broken (2)Couldn't locate above in reference guide or MSDN doc.
Which Registry Settings a Group Policy Object Modifies : No policy-related registry key located in Procmon
How Settings are Stored : Nothing insightful in the .ini file.

End goal is to automate configuration thru Powershell [Set-ItemProperty]

Best Answer

As you can see in the Group Policy Settings Reference Guide (see your 1st link; in particular, Windows10andWindowsServer2016PolicySettings.xlsx document), most of security settings (e.g. User Rights, Password Policy, Audit Policy etc.) are not registry keys. Those are stored in the Secedit.sdb database.

For your task, you can use Microsoft's secedit command line tool (at least, export and import):

secedit

Configures and analyzes system security by comparing your current configuration to specified security templates.

Syntax
secedit 
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]
Parameters

Secedit:analyze Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in.

Secedit:configure Allows you to configure a system with security settings stored in a database.

Secedit:export Allows you to export security settings stored in a database.

Secedit:generaterollback Allows you to generate a rollback template with respect to a configuration template.

Secedit:import Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system.

Secedit:validate Allows you to validate the syntax of a security template.

Answer: Look for the below keys/entries under [Privilege Rights] section in the exported configuration file (you can add/change them easy using Powershell):

SeLockMemoryPrivilege Lock pages in memory
SeManageVolumePrivilege Perform volume maintenance tasks

Read (and follow) Windows Security Baselines as well:

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Best Answer

secedit

Syntax

Parameters

Related Solutions

Windows Group Policy – Can I alter with VBscript

Why is the loopbacked GPO reporting as disabled

Related Topic