How PowerShell modifies Group Policy

On an article, Tian always hands to guide how to achieve multi-hop, manual implementation, no problem. But many machines, this one we use the command to implement Group Policy modification.

First, PowerShell is not all-in-one, PowerShell is a Group Policy (GPO) that can get to the domain, and permissions are sufficient to modify, but the local policy computer policy is not available. Google many answer suggest to modify Pol file. But he opened it hard to read. There are a lot of people who recommend this third-party plugin to edit, but this plug-in first on Windows Server 2016 is not supported, the author has long been not maintained.

unexpectedly , the value of the Group Policy is saved in the registration table, the following figure about the settings, you can in the hklm:\software\policies\microsoft\windows\credentialsdelegation\ Allowfreshcredentialswhenntlmonly found here.

That being the case, it would be nice to modify the registry directly as needed. Therefore, the method of the previous article can be fully automatic implementation.

$getTrustedHosts = Get-item wsman:\localhost\client\trustedhosts if ($getTrustedHosts-ne $null-and $ ($ Gettrustedhosts.value)-eq "*") {Write-host "has already set the local trustedhost."} else {Set-item Wsman:\loc Alhost\client\trustedhosts-value *-force | Out-null Write-host "Successfully set the local Trustedhost"} if (Test-path "hklm:\software\policies\microsoft\windows \credentialsdelegation\allowfreshcredentialswhenntlmonly ") {write-host" allowfreshcredentialswhenntlmonly exists In the registry "$obj = Get-itemproperty" hklm:\software\policies\microsoft\windows\credentialsdelegation\
        Allowfreshcredentialswhenntlmonly "if ($obj. 1) {Write-host" The computer policy is working well "}else{ New-itemproperty-path "hklm:\software\policies\microsoft\windows\credentialsdelegation\ Allowfreshcredentialswhenntlmonly "-name" 1 "-value" wsman/* "| Out-null write-host "Successfully set allowfreshcredentialswhenntlmonly in the Registry,and tHe path hklm:\software\policies\microsoft\windows\credentialsdelegationallowfreshcredentialswhenntlmonly "}}else{ New-item-path "Hklm:\software\policies\microsoft\windows\credentialsdelegation"-name " Allowfreshcredentialswhenntlmonly "-value" 1 "| Out-null New-itemproperty-path "hklm:\software\policies\microsoft\windows\credentialsdelegation\ Allowfreshcredentialswhenntlmonly "-name" 1 "-value" wsman/* "| Out-null write-host "Successfully set allowfreshcredentialswhenntlmonly in the Registry,and the path HKLM:\SOFTWARE\Po 
Licies\microsoft\windows\credentialsdelegationallowfreshcredentialswhenntlmonly "} $targetmachine =" Vmaosupse2 " Enable-wsmancredssp-role "Client"-delegatecomputer *-force | Out-null $secPassword = convertto-securestring "Guguji5"-asplaintext-force $cred = New-object system. Management.Automation.PSCredential ("Advent\axyssu", $secPassword) invoke-command-computername $targetmachine- Credential $cred-scriptblock {enable-wsmancredssp-role"Server"-force | Out-null} invoke-command-computername $targetmachine-credential $cred-authentication credssp-scriptblock{$path = "\\cosmoxydev8\c$\Moxy" Get-childitem-path $path}

What you must know: Although Group Policy is present in the registry, Group Policy modifications are saved synchronously to the registry, but most of the registry modifications are not synchronized to Group Policy. Although it will take effect, the old values are still seen in the Group Policy panel.