Главная » Linux

Скрипты windows server 2016 netlogon

Содержание
  1. Отказано в доступе к каталогам NETLOGON и SYSVOL из Windows 10
  2. Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor
  3. Introduction
  4. Additional considerations
  5. How to assign computer startup scripts
  6. To assign computer startup scripts
  7. Additional considerations
  8. How to assign computer shutdown scripts
  9. To assign computer shutdown scripts
  10. Additional considerations
  11. How to assign user logon scripts
  12. To assign user logon scripts
  13. Additional considerations
  14. How to assign user logoff scripts
  15. To assign user logoff scripts
  16. Additional considerations

Отказано в доступе к каталогам NETLOGON и SYSVOL из Windows 10

Заметил некоторые странности при доступе к каталогам SYSVOL и NETLOGON в домене из Windows 10 / Windows Server 2016. При доступе к контроллеру домена с клиента по UNC пути \\ \SYSVOL или по IP адресу контроллера домена \\192.168.1.10\Netlogon появляется ошибка “Отказано в доступе” (Access is denied) с запросом ввода учетной записи и пароля. При указании учетной записи доменного пользователя или даже администратора домена, каталоги все равно не открываются.

При этом тот же самый каталог Sysvol/Netlogon открывается нормально (без запроса пароля), если указать имя контроллера домена: \\dc1.domain.ru\sysvol или просто \\dc1\sysvol .

Кроме того, на проблемных компьютерах с Windows 10 могут наблюдаться проблемы с применением групповых политик. В журнале можно найти ошибки с EventID 1058:

Все это связано с новыми настройками безопасности, которые предназначены для защиты доменных компьютеров от запуска кода (логон скриптов, исполняемых файлов) и получения конфигурационных файлов политик из недоверенных источников — UNC hardening. Настройки безопасности Windows 10 / Windows Server 2016 требуют, чтобы для доступа к UNC каталогам с усиленной защитой (SYSVOL и NETLOGON) использовались следующие уровни безопасности:

  • Mutual Authentication — взаимная аутентификация клиента и сервера. Для аутентификации используется Kerberos (NTLM не поддерживается). Именно поэтому вы не можете подключиться к каталогам SYSVOL и NETLOGON на контроллере домена по IP адресу. По-умолчанию RequireMutualAuthentication=1 .
  • Integrity – проверка подписи SMB. Позволяет убедиться, что данные в SMB сесии не модифицированы при передаче. Подпись SMB поддерживается только в версии SMB 2.0 и выше (SMB 1 не поддерживает SMB подписи для сессии). По-умолчанию RequireIntegrity=1 .
  • Privacy – шифрование данных в SMB сессии. Поддерживается начиная с SMB 3.0 (Windows 8 / Windows Server 2012 и выше). По-умолчанию RequirePrivacy=0.

Изначально эти изменения были внесены в Windows 10 еще в 2015 году в рамках бюллетеней безопасности MS15-011 и MS15-014. В результате был изменен алгоритм работы Multiple UNC Provider (MUP), который теперь использует особые правила для доступа к критичным каталогам на контроллерах домена \\*\SYSVOL и \\*\NETLOGON.

Изменить настройки UNC hardening в Windows 10 для доступа к SYSVOL и NETLOGON можно через групповые политики. Вы можете использовать различные настройки безопасности для доступа к разным UNC-путям с помощью политики Hardened UNC Paths (UNC пути с усиленной защитой).

  1. Откройте редактор локальной политики безопасности gpedit.msc;
  2. Перейдите в раздел политик Computer Configuration -> Administrative Templates -> Network -> Network Provider;
  3. Включите политику Hardened UNC Paths;
  4. Нажмите на кнопку Show и создайте записи для UNC путей к каталогам Netlogon и Sysvol. Для полного отключения UNC hardering для определенных каталогов (не рекомендуется!!), укажите значение RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0

Или можно разрешить доступ к каталогам Sysvol и Netlogon независимо от UNC пути:

Нужно указать все необходимые вам имена доменов (контроллеров домена) или IP адреса.

  • \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
  • \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

Осталось обновить политики на компьютере с помощью команды gpupdate /force и проверить, что у вас появился доступ к каталогам Sysvol и Netlogon.

Вы можете настроить эти параметры с помощью централизованной доменной политики. Или с помочью следующих команд на клиентах. (Эти команды отключат Kerberos аутентификацию при доступе к указанным каталогам на DC. Будет использоваться NTLM, в результате вы сможете открыть защищённые каталоги на DC по IP адресу):

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v «\\*\SYSVOL» /d «RequireMutualAuthentication=0» /t REG_SZ /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v «\\*\NETLOGON» /d «RequireMutualAuthentication=0» /t REG_SZ /f

  • у вас старая версия административных шаблонов на контроллере домена (DC со старой Windows Server 2008 R2/ Windows Server 2012), в которых отсутствует параметр политик Hardened UNC Paths;
  • из-за недоступности каталога Sysvol клиенты не могут получить доменные политики, и вы не можете распространить эти настройки реестра.

Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor

This topic describes how to use the Local Group Policy Editor (gpedit) to manage four types of event-driven scripting files.

Introduction

Group Policy allows you to associate one or more scripting files with four triggered events:

You can use Windows PowerShell scripts, or author scripts in any other language supported by the client computer. Windows Script Host (WSH) supported languages are also used, including VBScript and Jscript. For more information about the editor, see Local Group Policy Editor.

Additional considerations

For more information about scripting, see the Group Policy Script Center (https://go.microsoft.com/fwlink/?LinkID=66013).

Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see https://go.microsoft.com/fwlink/?LinkId=139815.

How to assign computer startup scripts

To assign computer startup scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Startup/Shutdown). The path is Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).

In the results pane, double-click Startup.

In the Startup Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In the Script Name box, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In the Script Parameters box, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Startup Properties dialog box, specify the options that you want:

Startup Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Startup Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

To complete this procedure, you mustВ have Edit setting permission to edit a GPO. By default, members of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security groupВ have Edit setting permission to editВ a GPO.

Startup scripts are run under the Local System account, and they have the full rights that are associated with being able to run under the Local System account.

Beginning in WindowsВ Vista, startup scripts are run asynchronously, by default. This is a different behavior from earlier operating systems.

Setting startup scripts to run synchronously may cause the boot process to run slowly.

In WindowsВ 7 and WindowsВ Vista, startup scripts that are run asynchronously will not be visible. Enabling the Run Startup Scripts Visible policy setting will have no effect when running startup scripts asynchronously.

Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see https://go.microsoft.com/fwlink/?LinkId=139815.

How to assign computer shutdown scripts

To assign computer shutdown scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Startup/Shutdown). The path is Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).

In the results pane, double-click Shutdown.

In the Shutdown Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In Script Parameters, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Shutdown Properties dialog box, specify the options that you want:

Shutdown Scripts for : Lists all the scripts that are currently assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Shutdown Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

To complete this procedure, you mustВ have Edit setting permission to edit a GPO. By default, members of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security groupВ have Edit setting permission to editВ a GPO.

Shutdown scripts are run as Local System, and they have the full rights that are associated with being able to run as Local System.

Setting shutdown scripts to run synchronously may cause the shutdown process to run slowly.

Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see https://go.microsoft.com/fwlink/?LinkId=139815.

How to assign user logon scripts

To assign user logon scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Logon/Logoff). The path is User Configuration\Windows Settings\Scripts (Logon/Logoff).

In the results pane, double-click Logon.

In the Logon Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In Script Parameters, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Logon Properties dialog box, specify the options that you want:

Logon Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Logon Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

To complete this procedure, you mustВ have Edit setting permission to edit a GPO. By default, members of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security groupВ have Edit setting permission to editВ a GPO.

Setting logon scripts to run synchronously may cause the logon process to run slowly.

Logon scripts are run as User, not Administrator, and their rights are limited accordingly.

Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see https://go.microsoft.com/fwlink/?LinkId=139815.

How to assign user logoff scripts

To assign user logoff scripts

Open the Local Group Policy Editor.

In the console tree, click Scripts (Logon/Logoff). The path is User Configuration\Windows Settings\Scripts (Logon/Logoff).

In the results pane, double-click Logoff.

In the Logoff Properties dialog box, click Add.

In the Add a Script dialog box, do the following:

In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

In Script Parameters, type any parameters that you want, the same way as you would type them on the command line. For example, if your script includes parameters called //logo (display banner) and //I (interactive mode), type //logo //I.

In the Logoff Properties dialog box, specify the options the you want:

Logoff Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it and then click Up. To move a script down in the list, click it and then click Down.

Add: Opens the Add a Script dialog box, where you can specify any additional scripts to use.

Edit: Opens the Edit Script dialog box, where you can modify script information, such as name and parameters.

Remove: Removes the selected script from the Logoff Scripts list.

Show Files: Displays the script files that are stored in the selected GPO.

Additional considerations

To complete this procedure, you mustВ have Edit setting permission to edit a GPO. By default, members of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security groupВ have Edit setting permission to editВ a GPO.

Logoff scripts are run as User, not Administrator, and their rights are limited accordingly.

Setting logoff scripts to run synchronously may cause the logoff process to run slowly.

Читайте также:  Подключить гугл диск как сетевой диск windows 10
Оцените статью
© 2024 Советы по настройке компьютера