manage local GPO on remote machine

利用指令開啟遠端機器的本機GPO

gpedit.msc /gpcomputer: machine

http://technet.microsoft.com/en-us/library/cc978269.aspx

利用mmc嵌入方法管理遠端本機GPO

當current user的權限不足時~~可用runas利用對方管理者群組的等同帳號密碼,啟動一條cmd的session去執行即可~~

ie: 遠端欲管理電腦kido_client , 管控端kido_controller

kido_client中administrators群組成員帳號kido, kido_controller的current user kido_member

於kido_controller中建立一帳號kido,並且密碼與kido_client中的kido相同~~

接著runas /user:kido cmd

於新啟動的cmd session中進行遠端控制即可~~

default share permission change

基於資訊安全原則,我們不想讓everyone出現在預設的分享權限中,所以必須對系統作微調
機碼位置
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcDefaultShareInfo"

由於這各機碼值是不容易讀取的,所以必須藉由tweak-ui去作調整

事後的部署

在AD的環境下~~可透過GPO來安裝~~

Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown)

regedit /s xxx.reg

在workgroup的環境下可透過psexec,wmi,reg add,powershell來補正


for windows vista and/or higher version
Once you apply default share permission onto your system. All the other machines access either root share or adminitravtive share until you apply below setup onto your machine.

reg add HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v Level2Compatibility /f /t REG_DWORD /d 1
restart server service to apply the setup to system immediately
net stop server /y
net start server /y

http://support.microsoft.com/kb/971277/en-us?sd=rss&spid=14019

Below artical instructs you how to customize your default share
all your share permission setup can be found at below path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security\
customize permission for specific folder and then import the setup to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo

http://www.sepago.de/d/helge/2010/07/23/how-to-modify-default-share-permissions-and-other-tweaks