Tinus EngOps Wiki

Logo

OpsaC - Operating as PowerShell code

Links

Home

PowerShell Blog

PowerShell Index

PowerShell Search

Additional Websites

View my GitHub Profile

View my GitHub Gists

View Tinus IT Wiki

View my Photo Website

Read RSOP Account Policy

published: April 28, 2019 author: Tinu tags: PowerShell categories: PowerShell-WMI

Table of Contents

Read RSOP Account Policy

Read the RSOP Account policy with PowerShell. The Resultant Set of Policy is represented in WMI-Classes. RSoP data is actually stored in the WMI repository in the Root/RSoP namespace.

RSOP_SecuritySettingBoolean

The RSOP_SecuritySettingBoolean WMI class represents the boolean security setting for an account policy.

KeyName

This property can have one of the following values:

  • ClearTextPassword
  • PasswordComplexity
  • RequireLogonToChangePassword
  • ForceLogoffWhenHourExpire
  • LSAAnonymousNameLookup
  • EnableAdminAccount
  • EnableGuestAccount
  • TicketValidateClient

Data type:

  • Boolean

Example

function Test-RSOPSetting {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory=$false)]
        [Object]$args
    )
    $function = $($MyInvocation.MyCommand.Name)
    Write-Verbose $function

    $ret = $false
    try{
        $retobj = Get-WmiObject -Namespace $args.RSOPNamespace -Class $args.RSOPClass -ErrorAction SilentlyContinue | Where-Object KeyName -match $args.RSOPKeyName
        if($retobj){
            $ret = $retobj.setting
        }
        else{
            $ret = $false #NotFound
        }
    }
    catch{
        $error.clear()
        $ret = -500 #InternalError
    }
    return $ret
}

$params = @{
    RSOPNamespace = 'root\rsop\computer'
    RSOPClass     = 'RSOP_SecuritySettingBoolean'
    RSOPKeyName   = 'PasswordComplexity'
}

return (Test-RSOPSetting -args $params)

RSOP_SecuritySettingString

The RSOP_SecuritySettingString WMI class represents the string security setting for an account policy.

KeyName

This property can have one of the following values:

  • NewAdministratorName
  • NewGuestName

Data type:

  • String

Example

function Test-RSOPSetting {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory=$false)]
        [Object]$args
    )
    $function = $($MyInvocation.MyCommand.Name)
    Write-Verbose $function

    $ret = $null
    try{
        $retobj = Get-WmiObject -Namespace $args.RSOPNamespace -Class $args.RSOPClass -ErrorAction SilentlyContinue | Where-Object KeyName -match $args.RSOPKeyName
        if($retobj){
            $ret = $retobj.setting
        }
        else{
            $ret = '404 - NotFound'
        }
    }
    catch{
        $error.clear()
        $ret = '500 - Internal Error'
    }
    return $ret
}

$params = @{
    RSOPNamespace = 'root\rsop\computer'
    RSOPClass     = 'RSOP_SecuritySettingString'
    RSOPKeyName   = 'NewGuestName'
}

return (Test-RSOPSetting -args $params)

RSOP_SecuritySettingNumeric

The RSOP_SecuritySettingNumeric WMI class represents the numeric security setting for an account policy.

KeyName

This property can have one of the following values related to password policy or to account policy:

  • MinimumPasswordAge
  • MaximumPasswordAge
  • MinimumPasswordLength
  • PasswordHistorySize
  • LockoutBadCount
  • ResetLockoutCount
  • LockoutDuration

Kerberos-related values:

  • MaxTicketAge
  • MaxRenewAge
  • MaxServiceAge
  • MaxClockSkew

Data type:

  • Integer

Example

function Test-RSOPSetting {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory=$false)]
        [Object]$args
    )
    $function = $($MyInvocation.MyCommand.Name)
    Write-Verbose $function

    $ret = -1
    try{
        $retobj = Get-WmiObject -Namespace $args.RSOPNamespace -Class $args.RSOPClass -ErrorAction SilentlyContinue | Where-Object KeyName -match $args.RSOPKeyName
        if($retobj){
            $ret = $retobj.setting
        }
        else{
            $ret = -404 #NotFound
        }
    }
    catch{
        $error.clear()
        $ret = -500 #InternalError
    }
    return $ret
}

$params = @{
    RSOPNamespace = 'root\rsop\computer'
    RSOPClass     = 'RSOP_SecuritySettingNumeric'
    RSOPKeyName   = 'LockoutDuration'
}

return (Test-RSOPSetting -args $params)

GroupPolicy

This topic contains the brief descriptions of the Windows PowerShell cmdlets that are for use in administering Group Policy in Windows Server and Windows client with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets.)

Add-WindowsFeature RSAT

Generate an XML RSoP report

The Get-GPResultantSetOfPolicy cmdlet need elevated rights.

Get-GPResultantSetOfPolicy -ReportType xml -Path 'C:\Temp\RSoP.xml'

RsopMode        : Logging
Namespace       : \\MyComputer\Root\Rsop\NSEBFF8CC1_BCFE_4726_9FAF_31E83B687080
LoggingComputer : MyComputer
LoggingUser     : MyComputer\MyAccount
LoggingMode     : UserAndComputer

Parse the XML report

[xml]$data = Get-Content 'C:\Temp\RSoP.xml'
$data.DocumentElement.ComputerResults.GPO

WMI Explorer

Download WMI Explorer on PowerShell.org.

See also

WMI Reference on Microsoft Docs.

RSOP_PolicySetting class on Microsoft Docs.

RSOP_SecuritySettingNumeric Class on Microsoft Docs.

GroupPolicy on Microsoft Docs.

← Previous Post [ Top ] Copyright © 2024 by tinuwalther [ Blog ] Next Post →