1. 首页
  2. 问答
  3. 如何以编程方式在c#中更改Windows 8.1组策略?

如何以编程方式在c#中更改Windows 8.1组策略?

2015-02-23 25 views
0

我正在开发Windows 8.1自助服务终端类型的应用程序,我需要将组策略自定义用户界面设置设置为应用程序的.exe。当然,这可以通过手工完成,但我希望能够通过c#或者安装程序(我现在正在使用Visual Studio安装程序)对其进行更改。如何以编程方式在c#中更改Windows 8.1组策略?

感谢您的帮助!

来源

2015-02-23 Giallo

+0

谷歌“gpedit自动化”,采取第一击。 – 2015-02-23 16:27:49

+0

使用PowerShell自动执行组策略?我会看一看。谢谢汉斯! – Giallo 2015-02-23 18:07:30

回答

1

要走的路是:

  1. 创建自定义操作并将其添加到您的安装程序的安装部分
  2. 使用非托管LsaAddAccountRights方法将任何策略设置为任何用户帐户或组(,例如管理员,用户,所有人)。所有您需要知道的是您要分配的合适的策略处理用户权限。现在

,下至:-)

实施请检查下面的代码。这是我结束了与分析,并从不同的资源借用不同的代码段实施:我已经把这个代码在一个名为LSAManager为了方便单独的一类

public class LSAManager 
{ 
    [DllImport("advapi32.dll", PreserveSig = true)] 
    private static extern uint LsaOpenPolicy(ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, Int32 DesiredAccess, out IntPtr PolicyHandle); 
    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] 
    private static extern uint LsaAddAccountRights(IntPtr PolicyHandle, IntPtr pSID, LSA_UNICODE_STRING[] UserRights, int CountOfRights); 
    [DllImport("advapi32.dll")] 
    public static extern void FreeSid(IntPtr pSid); 
    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true, PreserveSig = true)] 
    private static extern bool LookupAccountName(string lpSystemName, string lpAccountName, IntPtr psid, ref int cbsid, StringBuilder domainName, ref int cbdomainLength, ref int use); 
    [DllImport("advapi32.dll")] 
    private static extern bool IsValidSid(IntPtr pSid); 
    [DllImport("advapi32.dll")] 
    private static extern int LsaClose(IntPtr ObjectHandle); 
    [DllImport("advapi32.dll")] 
    private static extern int LsaNtStatusToWinError(int status); 

    [DllImport("kernel32.dll")] 
    private static extern int GetLastError(); 

    [StructLayout(LayoutKind.Sequential)] 
    private struct LSA_UNICODE_STRING 
    { 
     public UInt16 Length; 
     public UInt16 MaximumLength; 
     public IntPtr Buffer; 
    } 
    [StructLayout(LayoutKind.Sequential)] 
    private struct LSA_OBJECT_ATTRIBUTES 
    { 
     public int Length; 
     public IntPtr RootDirectory; 
     public LSA_UNICODE_STRING ObjectName; 
     public UInt32 Attributes; 
     public IntPtr SecurityDescriptor; 
     public IntPtr SecurityQualityOfService; 
    } 

    private enum LSA_AccessPolicy : long 
    { 
     POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L, 
     POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L, 
     POLICY_GET_PRIVATE_INFORMATION = 0x00000004L, 
     POLICY_TRUST_ADMIN = 0x00000008L, 
     POLICY_CREATE_ACCOUNT = 0x00000010L, 
     POLICY_CREATE_SECRET = 0x00000020L, 
     POLICY_CREATE_PRIVILEGE = 0x00000040L, 
     POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L, 
     POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L, 
     POLICY_AUDIT_LOG_ADMIN = 0x00000200L, 
     POLICY_SERVER_ADMIN = 0x00000400L, 
     POLICY_LOOKUP_NAMES = 0x00000800L, 
     POLICY_NOTIFICATION = 0x00001000L 
    } 

    /// <summary>Adds a privilege to an account</summary> 
    /// <param name="accountName">Name of an account - "domain\account" or only "account"</param> 
    /// <param name="privilegeName">Name of the privilege</param> 
    /// <returns>The windows error code returned by LsaAddAccountRights (0 = success)</returns> 
    public static long SetRight(String accountName, String privilegeName) 
    { 
     long winErrorCode = 0; //contains the last error 

     //pointer an size for the SID 
     IntPtr sid = IntPtr.Zero; 
     int sidSize = 0; 
     //StringBuilder and size for the domain name 
     StringBuilder domainName = new StringBuilder(); 
     int nameSize = 0; 
     //account-type variable for lookup 
     int accountType = 0; 

     //get required buffer size 
     LookupAccountName(String.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); 

     //allocate buffers 
     domainName = new StringBuilder(nameSize); 
     sid = Marshal.AllocHGlobal(sidSize); 

     //lookup the SID for the account 
     bool result = LookupAccountName(String.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); 

     // check SID if required: IsValidSid(sid)); 

     if (!result) 
     { 
      winErrorCode = GetLastError(); 
     } 
     else 
     { 
      //initialize an empty unicode-string 
      LSA_UNICODE_STRING systemName = new LSA_UNICODE_STRING(); 
      //combine all policies 
      int access = (int)(
       LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN | 
       LSA_AccessPolicy.POLICY_CREATE_ACCOUNT | 
       LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE | 
       LSA_AccessPolicy.POLICY_CREATE_SECRET | 
       LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION | 
       LSA_AccessPolicy.POLICY_LOOKUP_NAMES | 
       LSA_AccessPolicy.POLICY_NOTIFICATION | 
       LSA_AccessPolicy.POLICY_SERVER_ADMIN | 
       LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS | 
       LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS | 
       LSA_AccessPolicy.POLICY_TRUST_ADMIN | 
       LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION | 
       LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION 
       ); 
      //initialize a pointer for the policy handle 
      IntPtr policyHandle = IntPtr.Zero; 

      //these attributes are not used, but LsaOpenPolicy wants them to exists 
      LSA_OBJECT_ATTRIBUTES ObjectAttributes = new LSA_OBJECT_ATTRIBUTES(); 
      ObjectAttributes.Length = 0; 
      ObjectAttributes.RootDirectory = IntPtr.Zero; 
      ObjectAttributes.Attributes = 0; 
      ObjectAttributes.SecurityDescriptor = IntPtr.Zero; 
      ObjectAttributes.SecurityQualityOfService = IntPtr.Zero; 

      //get a policy handle 
      uint resultPolicy = LsaOpenPolicy(ref systemName, ref ObjectAttributes, access, out policyHandle); 
      winErrorCode = LsaNtStatusToWinError((int)resultPolicy); 

      if (winErrorCode == 0) 
      { 
       //Now that we have the SID and the policy, 
       //we can add rights to the account. 

       //initialize an unicode-string for the privilege name 
       LSA_UNICODE_STRING[] userRights = new LSA_UNICODE_STRING[1]; 
       userRights[0] = new LSA_UNICODE_STRING(); 
       userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName); 
       userRights[0].Length = (UInt16)(privilegeName.Length * UnicodeEncoding.CharSize); 
       userRights[0].MaximumLength = (UInt16)((privilegeName.Length + 1) * UnicodeEncoding.CharSize); 

       //add the right to the account 
       uint res = LsaAddAccountRights(policyHandle, sid, userRights, 1); 

       winErrorCode = LsaNtStatusToWinError((int)res); 

       LsaClose(policyHandle); 
      } 
      FreeSid(sid); 
     } 

     return winErrorCode; 
    } 
}

。为了使用此代码,只需致电:

string userName = "alex"; 
// Set "Logon As a Service" privilege (for example): 
if (LSAManager.SetRight(userName, "SeServiceLogonRight") != 0) 
{ 
    // handle error here 
}

来源

2015-05-25 20:05:20

+0

哇,太好了!感谢你的回答。 – Giallo 2015-05-28 13:41:14

+0

不客气。顺便说一句,要获得**授权常量**的完整列表(如_SeServiceLogonRight_),请查看以下[MSDN文章](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375728 %28V = vs.85%29.aspx)。 – 2015-05-29 13:59:16

相关问题

 相关问题