windows 2008 (非R2)使用批处理文件调整组策略过程记录
2021年12月8日,对windows server 2008 (不是 windows server 2008 R2) 调整组策略。其中有一部分,无法通过图形界面(gpedit.msc)进行,只能在cmd用命令行执行。执行时遇到如下报错。
猜想是由于中英文显示,导致组策略名称中英文不能匹配。根据 审核策略建议 | Microsoft Docs 找出组策略中英文对照关系,修改批处理命令将组策略名称改为英文,执行成功。
具体什么原因没有查明,总结一点就是,珍爱生命,远离windows
在这里,粘贴一下中英文组策略对应的批处理代码。珍爱生命,远离windows
auditpol /set /subcategory:"IPsec 驱动程序" /success:enable /failure:enable
auditpol /set /subcategory:"其他帐户管理事件" /success:enable
auditpol /set /subcategory:"凭据验证" /success:enable /failure:enable
auditpol /set /subcategory:"安全系统扩展" /success:enable
auditpol /set /subcategory:"应用程序组管理" /success:enable /failure:enable
auditpol /set /subcategory:"授权策略更改" /success:enable
auditpol /set /subcategory:"用户帐户管理" /success:enable /failure:enable
auditpol /set /subcategory:"目录服务更改" /success:enable
auditpol /set /subcategory:"目录服务访问" /failure:enable
auditpol /set /subcategory:"进程创建" /success:enable
auditpol /set /subcategory:"分发组管理" /success:enable /failure:disable
auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable
auditpol /set /subcategory:"Directory Service Access" /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:disable
gpupdate /force 遇报错解决过程
windows server 2008 修改策略后,需要更新。在cmd中执行 gpupdate /force,遇到报错。报错内容为
The processing of Group Policy failed. Windows attempted to read the file \\<domain.name>\SysVol\<domain.name>\Policies\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\gpt.ini from a domian controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be cause by on or more of the following:
- Name Resolution/Network Connectivity to the current domain controller;
- File Replication Service Latency (a file created on another domain controller has not been replicated to the current domain controller);
- The Distributed File System (DFS) client has been disabled.
和网上其他博客给出的解决办法不同。我先想到的是这个文件直接读能不能读取到呢?所以打开资源管理器,在地址栏直接输入\\<domain.name>\SysVol\<domain.name>\Policies\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ 看能否读取到 gpt.ini。结果提示要输入域账号密码,输入域账号密码后,就可以读取到 gpt.ini。
再执行 gpupdate /force,策略跟新成功。
写在最后,珍爱生命,远离windows
Windows自带certutil工具校验用法
windows自带校验工具certutil,记录用法如下。注意MD5、SHA1、SHA256必须是大写的!否则报错!
certutil -hashfile <file> MD5
certutil -hashfile <file> SHA1
certutil -hashfile <file> SHA256
成功案例如下。这一堆空格看着真是糟心,珍爱生命,远离windows。
C:\Users\Lenovo\Downloads>certutil -hashfile rhel-8.2-x86_64-dvd.iso SHA256
SHA256 哈希(文件 rhel-8.2-x86_64-dvd.iso):
7f df ed 9c 7c ce d4 e5 26 a3 62 e6 4e d0 6b cd c6 ce 03 94 a9 86 25 a4 0e 7d 05 db 29 bf 7b 86
CertUtil: -hashfile 命令成功完成。