上一篇,田总手把手给指导了如何实现多跳,手动实现的,没有问题。但是机器众多,这一篇我们用命令来实现组策略的修改。
首先,Powershell不是万能的,Powershell是可以获取到域的组策略(GPO),并且权限足够还可以修改,但是,本地策略(Local Computer Policy)策略则无法获取到。Google上好多answer建议去修改pol文件。但是他打开很难读。也有好多好多人建议用这个第三方插件来编辑,但是这个插件首先在window server 2016上就不支持,作者也早就不维护了。
竟然,组策略的值是会保存在注册表里的,下图有关的设置,就可以在HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly这里找到
既然如此,根据需要直接修改注册表就好。所以上篇文章的方法可以全自动实现。
$getTrustedHosts = Get-Item WSMan:\localhost\Client\TrustedHosts
if ($getTrustedHosts -ne $null -and $($getTrustedHosts.value) -eq "*") {Write-Host "Has already set the local trustedHost."
}
else {Set-Item WSMan:\localhost\Client\TrustedHosts -value * -Force | out-nullwrite-host "Successfully set the local trustedHost"
}
if(test-path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"){write-host "AllowFreshCredentialsWhenNTLMOnly exists in the registry"$obj = get-itemproperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"if($obj.1){write-host "The computer policy is working well"}else{new-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-nullwrite-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"}
}else{new-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -name "AllowFreshCredentialsWhenNTLMOnly" -value "1" | out-nullnew-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -name "1" -value "wsman/*" | out-nullwrite-host "Successfully set AllowFreshCredentialsWhenNTLMOnly in the registry,and the path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationAllowFreshCredentialsWhenNTLMOnly"
}
$targetmachine ="vmaosupse2"
Enable-WSManCredSSP -Role "Client" -DelegateComputer * -force | out-null
$secPassword = ConvertTo-SecureString "guguji5" -AsPlainText -Force
$cred = New-Object system.Management.Automation.PSCredential("advent\axyssu", $secPassword)invoke-Command -ComputerName $targetmachine -Credential $cred -ScriptBlock {Enable-WSManCredSSP -Role "Server" -force | out-null
}invoke-Command -ComputerName $targetmachine -Credential $cred -Authentication Credssp -ScriptBlock{$path = "\\cosmoxydev8\c$\Moxy"get-childitem -path $path
}必须要知道的事:虽然组策略是存在注册表,组策略的修改,会同步的保存到注册表,但是,大部分注册表的修改不会同步到组策略。尽管它会生效,但是在组策略面板里看到的还是旧的值。
