当前位置：首页 > news >正文

本地组策略编辑器图形化工具

news 2025/8/23 6:05:32

本地组策略图形化工具，添加用户权限分配功能。这将包括常见的用户权限策略设置：

目前版本在优化中，后续会添加更多功能。

# GroupPolicyGUI.ps1
# 需要以管理员权限运行Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
[System.Windows.Forms.Application]::EnableVisualStyles()# 自动提升管理员权限
function Elevate-Admin {if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {$arguments = "-ExecutionPolicy Bypass -NoProfile -File `"$($MyInvocation.MyCommand.Definition)`""Start-Process -FilePath "powershell.exe" -ArgumentList $arguments -Verb RunAsexit}
}# 获取当前策略值的函数
function Get-CurrentPolicyValue {param($path, $key)try {if (Test-Path $path) {$value = Get-ItemProperty -Path $path -Name $key -ErrorAction SilentlyContinueif ($value -and $value.$Key -ne $null) { return $value.$Key }}return "未设置"}catch {return "访问错误"}
}# 获取用户权限分配当前值
function Get-UserRightsValue {param($policyName)try {# 使用secedit导出当前用户权限分配$tempFile = [System.IO.Path]::GetTempFileName()secedit /export /cfg $tempFile /areas USER_RIGHTS 2>&1 | Out-Nullif (Test-Path $tempFile) {$content = Get-Content $tempFile$policyLine = $content | Where-Object { $_ -like "*$policyName*" }if ($policyLine) {$users = $policyLine.Split('=')[1].Trim()if ([string]::IsNullOrEmpty($users)) {return "无用户"}return $users}return "未配置"}return "无法读取"}catch {return "错误"}finally {if (Test-Path $tempFile) { Remove-Item $tempFile -Force }}
}# 设置用户权限分配
function Set-UserRightsAssignment {param($policyName, $users)try {# 创建临时安全策略文件$tempFile = [System.IO.Path]::GetTempFileName()$infContent = @"
[Unicode]
Unicode=yes
[Version]
signature=`"`$CHICAGO`$`"
revision=1
[Privilege Rights]
$policyName = $users
"@Set-Content -Path $tempFile -Value $infContent -Encoding Unicodesecedit /configure /db secedit.sdb /cfg $tempFile /areas USER_RIGHTS 2>&1 | Out-Nullreturn $true}catch {Write-Host "设置用户权限失败: $_"return $false}finally {if (Test-Path $tempFile) { Remove-Item $tempFile -Force }}
}# 应用选中策略
function Apply-SelectedPolicies {$progressBar.Value = 0$statusLabel.Text = "正在应用策略..."$total = 0$applied = 0# 计算总数foreach ($tabPage in $tabControl.TabPages) {$listView = $tabPage.Controls[0]$total += $listView.CheckedItems.Count}if ($total -eq 0) {$statusLabel.Text = "请先选择要应用的策略"[System.Windows.Forms.MessageBox]::Show("请至少选择一个策略进行应用", "提示", "OK", "Information")return}foreach ($tabPage in $tabControl.TabPages) {$listView = $tabPage.Controls[0]foreach ($item in $listView.CheckedItems) {$policy = $item.Tagtry {if ($policy.Type -eq "USER_RIGHTS") {# 用户权限分配特殊处理$result = Set-UserRightsAssignment $policy.Key $policy.Valueif ($result) {$applied++}}else {# 普通注册表策略if (-not (Test-Path $policy.Path)) {New-Item -Path $policy.Path -Force | Out-Null}Set-ItemProperty -Path $policy.Path -Name $policy.Key -Value $policy.Value -Type $policy.Type -Force$applied++}$progressBar.Value = ($applied / $total) * 100$statusLabel.Text = "正在应用: $($policy.Name)... ($applied/$total)"[System.Windows.Forms.Application]::DoEvents()# 更新当前值显示if ($policy.Type -eq "USER_RIGHTS") {$currentValue = Get-UserRightsValue $policy.Key}else {$currentValue = Get-CurrentPolicyValue $policy.Path $policy.Key}$item.SubItems[2].Text = $currentValue}catch {Write-Host "应用策略失败: $($policy.Name) - $_"}}}# 刷新组策略$statusLabel.Text = "正在刷新组策略..."Start-Process -FilePath "gpupdate" -ArgumentList "/force" -Wait -WindowStyle Hidden$progressBar.Value = 100$statusLabel.Text = "完成! 已应用 $applied 个策略。"[System.Windows.Forms.MessageBox]::Show("策略应用完成!`n已成功应用 $applied 个策略。`n建议重启计算机使所有更改生效。", "完成", "OK", "Information")
}# 备份策略
function Backup-Policies {$backupDialog = New-Object System.Windows.Forms.SaveFileDialog$backupDialog.Filter = "注册表文件 (*.reg)|*.reg"$backupDialog.FileName = "gpo_backup_$(Get-Date -Format 'yyyyMMdd_HHmmss').reg"$backupDialog.Title = "选择备份位置"if ($backupDialog.ShowDialog() -eq [System.Windows.Forms.DialogResult]::OK) {try {# 备份用户权限分配$rightsFile = $backupDialog.FileName -replace '\.reg$', '_rights.inf'secedit /export /cfg $rightsFile /areas USER_RIGHTS 2>&1 | Out-Null# 备份注册表策略$regPaths = @("HKLM\SOFTWARE\Policies","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies","HKCU\Software\Policies","HKCU\Software\Microsoft\Windows\CurrentVersion\Policies")foreach ($regPath in $regPaths) {try {$arguments = "export `"$regPath`" `"$($backupDialog.FileName)`" /y"Start-Process -FilePath "reg" -ArgumentList $arguments -Wait -WindowStyle Hidden}catch {Write-Host "备份 $regPath 失败: $_"}}$statusLabel.Text = "备份已保存到: $($backupDialog.FileName)"[System.Windows.Forms.MessageBox]::Show("备份成功完成!`n注册表策略: $($backupDialog.FileName)`n用户权限: $rightsFile", "成功", "OK", "Information")}catch {[System.Windows.Forms.MessageBox]::Show("备份失败: $_", "错误", "OK", "Error")}}
}# 恢复策略
function Restore-Policies {$restoreDialog = New-Object System.Windows.Forms.OpenFileDialog$restoreDialog.Filter = "配置文件 (*.reg;*.inf)|*.reg;*.inf|所有文件 (*.*)|*.*"$restoreDialog.Title = "选择要恢复的备份文件"if ($restoreDialog.ShowDialog() -eq [System.Windows.Forms.DialogResult]::OK) {$result = [System.Windows.Forms.MessageBox]::Show("确定要恢复备份吗？这将覆盖当前设置。", "确认恢复", "YesNo", "Warning")if ($result -eq [System.Windows.Forms.DialogResult]::Yes) {try {if ($restoreDialog.FileName.EndsWith('.reg')) {Start-Process -FilePath "reg" -ArgumentList "import `"$($restoreDialog.FileName)`"" -Wait -WindowStyle Hidden}elseif ($restoreDialog.FileName.EndsWith('.inf')) {secedit /configure /db secedit.sdb /cfg "$($restoreDialog.FileName)" /areas USER_RIGHTS 2>&1 | Out-Null}$statusLabel.Text = "已从备份恢复策略"Refresh-PolicyStatus[System.Windows.Forms.MessageBox]::Show("恢复成功完成! 已刷新策略状态。", "成功", "OK", "Information")}catch {[System.Windows.Forms.MessageBox]::Show("恢复失败: $_", "错误", "OK", "Error")}}}
}# 刷新策略状态
function Refresh-PolicyStatus {$statusLabel.Text = "正在刷新策略状态..."$progressBar.Value = 0$progressBar.Style = [System.Windows.Forms.ProgressBarStyle]::Marqueeforeach ($tabPage in $tabControl.TabPages) {$listView = $tabPage.Controls[0]$totalItems = $listView.Items.Count$processed = 0foreach ($item in $listView.Items) {$policy = $item.Tagif ($policy.Type -eq "USER_RIGHTS") {$currentValue = Get-UserRightsValue $policy.Key}else {$currentValue = Get-CurrentPolicyValue $policy.Path $policy.Key}$item.SubItems[2].Text = $currentValue$item.Checked = ($currentValue -eq $policy.Value)$processed++$progressBar.Value = ($processed / $totalItems) * 100[System.Windows.Forms.Application]::DoEvents()}}$progressBar.Style = [System.Windows.Forms.ProgressBarStyle]::Continuous$progressBar.Value = 100$statusLabel.Text = "策略状态已刷新"
}# 用户权限分配编辑器对话框
function Show-UserRightsEditor {param($policyName, $currentUsers)$editorForm = New-Object System.Windows.Forms.Form$editorForm.Text = "编辑用户权限分配: $policyName"$editorForm.Size = New-Object System.Drawing.Size(500, 400)$editorForm.StartPosition = "CenterScreen"$label = New-Object System.Windows.Forms.Label$label.Location = New-Object System.Drawing.Point(10, 10)$label.Size = New-Object System.Drawing.Size(460, 30)$label.Text = "请输入用户或组名称 (多个用户用逗号分隔):"$editorForm.Controls.Add($label)$textBox = New-Object System.Windows.Forms.TextBox$textBox.Location = New-Object System.Drawing.Point(10, 40)$textBox.Size = New-Object System.Drawing.Size(460, 100)$textBox.Multiline = $true$textBox.ScrollBars = "Vertical"$textBox.Text = $currentUsers$editorForm.Controls.Add($textBox)$helpLabel = New-Object System.Windows.Forms.Label$helpLabel.Location = New-Object System.Drawing.Point(10, 150)$helpLabel.Size = New-Object System.Drawing.Size(460, 60)$helpLabel.Text = "示例: `nAdministrators, SYSTEM`n或者: `nDOMAIN\User1, DOMAIN\Group1`n留空表示不分配此权限"$helpLabel.ForeColor = [System.Drawing.Color]::Gray$editorForm.Controls.Add($helpLabel)$okButton = New-Object System.Windows.Forms.Button$okButton.Location = New-Object System.Drawing.Point(150, 220)$okButton.Size = New-Object System.Drawing.Size(80, 30)$okButton.Text = "确定"$okButton.DialogResult = [System.Windows.Forms.DialogResult]::OK$editorForm.Controls.Add($okButton)$cancelButton = New-Object System.Windows.Forms.Button$cancelButton.Location = New-Object System.Drawing.Point(250, 220)$cancelButton.Size = New-Object System.Drawing.Size(80, 30)$cancelButton.Text = "取消"$cancelButton.DialogResult = [System.Windows.Forms.DialogResult]::Cancel$editorForm.Controls.Add($cancelButton)$editorForm.AcceptButton = $okButton$editorForm.CancelButton = $cancelButtonif ($editorForm.ShowDialog() -eq [System.Windows.Forms.DialogResult]::OK) {return $textBox.Text.Trim()}return $null
}# 初始化函数定义
Elevate-Admin# 创建主窗体
$form = New-Object System.Windows.Forms.Form
$form.Text = "组策略图形化管理工具 - 含用户权限分配"
$form.Size = New-Object System.Drawing.Size(1100, 750)
$form.StartPosition = "CenterScreen"
$form.MinimumSize = New-Object System.Drawing.Size(900, 650)
$form.BackColor = [System.Drawing.Color]::FromArgb(240, 240, 240)# 创建菜单栏
$menuStrip = New-Object System.Windows.Forms.MenuStrip
$fileMenu = New-Object System.Windows.Forms.ToolStripMenuItem("文件(&F)")
$toolsMenu = New-Object System.Windows.Forms.ToolStripMenuItem("工具(&T)")
$helpMenu = New-Object System.Windows.Forms.ToolStripMenuItem("帮助(&H)")# 文件菜单项
$backupItem = New-Object System.Windows.Forms.ToolStripMenuItem("备份当前设置(&B)")
$restoreItem = New-Object System.Windows.Forms.ToolStripMenuItem("恢复备份(&R)")
$exitItem = New-Object System.Windows.Forms.ToolStripMenuItem("退出(&X)")# 工具菜单项
$refreshItem = New-Object System.Windows.Forms.ToolStripMenuItem("刷新策略(&R)")
$applyItem = New-Object System.Windows.Forms.ToolStripMenuItem("应用选中策略(&A)")
$userRightsEditorItem = New-Object System.Windows.Forms.ToolStripMenuItem("用户权限编辑器(&U)")# 帮助菜单项
$aboutItem = New-Object System.Windows.Forms.ToolStripMenuItem("关于(&A)")# 构建菜单
$fileMenu.DropDownItems.AddRange(@($backupItem, $restoreItem, (New-Object System.Windows.Forms.ToolStripSeparator), $exitItem))
$toolsMenu.DropDownItems.AddRange(@($refreshItem, $applyItem, $userRightsEditorItem))
$helpMenu.DropDownItems.Add($aboutItem)
$menuStrip.Items.AddRange(@($fileMenu, $toolsMenu, $helpMenu))
$form.Controls.Add($menuStrip)# 创建选项卡控件
$tabControl = New-Object System.Windows.Forms.TabControl
$tabControl.Location = New-Object System.Drawing.Point(10, 30)
$tabControl.Size = New-Object System.Drawing.Size(1060, 500)
$tabControl.Anchor = 'Top, Bottom, Left, Right'# 策略分类（包含用户权限分配）
$policyCategories = @{"系统设置" = @(@{Name="禁用锁屏界面"; Path="HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization"; Key="NoLockScreen"; Type="DWORD"; Value=1; Description="禁用Windows锁屏界面"}@{Name="禁用自动重启"; Path="HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; Key="NoAutoRebootWithLoggedOnUsers"; Type="DWORD"; Value=1; Description="登录时禁止Windows更新自动重启"}@{Name="禁用遥测"; Path="HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"; Key="AllowTelemetry"; Type="DWORD"; Value=0; Description="禁用Windows遥测数据收集"})"用户权限分配" = @(@{Name="允许本地登录"; Path=""; Key="SeInteractiveLogonRight"; Type="USER_RIGHTS"; Value="Administrators,Users"; Description="允许用户本地登录计算机"}@{Name="拒绝本地登录"; Path=""; Key="SeDenyInteractiveLogonRight"; Type="USER_RIGHTS"; Value=""; Description="拒绝用户本地登录计算机"}@{Name="远程桌面服务登录"; Path=""; Key="SeRemoteInteractiveLogonRight"; Type="USER_RIGHTS"; Value="Administrators"; Description="允许通过远程桌面服务登录"}@{Name="拒绝远程桌面服务登录"; Path=""; Key="SeDenyRemoteInteractiveLogonRight"; Type="USER_RIGHTS"; Value=""; Description="拒绝通过远程桌面服务登录"}@{Name="作为服务登录"; Path=""; Key="SeServiceLogonRight"; Type="USER_RIGHTS"; Value=""; Description="允许进程作为服务运行"}@{Name="作为批处理作业登录"; Path=""; Key="SeBatchLogonRight"; Type="USER_RIGHTS"; Value="Administrators"; Description="允许作为批处理作业登录"}@{Name="调试程序"; Path=""; Key="SeDebugPrivilege"; Type="USER_RIGHTS"; Value="Administrators"; Description="调试程序的权限"}@{Name="管理审核和安全日志"; Path=""; Key="SeSecurityPrivilege"; Type="USER_RIGHTS"; Value="Administrators"; Description="管理审核和安全日志"}@{Name="更改系统时间"; Path=""; Key="SeSystemtimePrivilege"; Type="USER_RIGHTS"; Value="Administrators"; Description="更改系统时间"}@{Name="关闭系统"; Path=""; Key="SeShutdownPrivilege"; Type="USER_RIGHTS"; Value="Administrators,Users"; Description="关闭操作系统"})"用户界面" = @(@{Name="禁用Cortana"; Path="HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search"; Key="AllowCortana"; Type="DWORD"; Value=0; Description="禁用Cortana语音助手"}@{Name="隐藏通知区域"; Path="HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer"; Key="HideNotificationArea"; Type="DWORD"; Value=1; Description="隐藏通知区域"})"网络设置" = @(@{Name="启用远程桌面"; Path="HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"; Key="fDenyTSConnections"; Type="DWORD"; Value=0; Description="启用远程桌面连接"})"安全设置" = @(@{Name="禁用UAC"; Path="HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; Key="EnableLUA"; Type="DWORD"; Value=0; Description="禁用用户账户控制(UAC)"})
}# 创建选项卡页面
foreach ($category in $policyCategories.Keys) {$tabPage = New-Object System.Windows.Forms.TabPage$tabPage.Text = $category$tabPage.BackColor = [System.Drawing.Color]::White$listView = New-Object System.Windows.Forms.ListView$listView.Location = New-Object System.Drawing.Point(10, 10)$listView.Size = New-Object System.Drawing.Size(1020, 440)$listView.View = [System.Windows.Forms.View]::Details$listView.FullRowSelect = $true$listView.CheckBoxes = $true$listView.GridLines = $true$listView.Anchor = 'Top, Bottom, Left, Right'# 添加列$listView.Columns.Add("启用", 60) | Out-Null$listView.Columns.Add("策略名称", 200) | Out-Null$listView.Columns.Add("当前值", 200) | Out-Null$listView.Columns.Add("推荐值", 150) | Out-Null$listView.Columns.Add("策略类型", 100) | Out-Null$listView.Columns.Add("描述", 250) | Out-Null# 添加策略项foreach ($policy in $policyCategories[$category]) {if ($policy.Type -eq "USER_RIGHTS") {$currentValue = Get-UserRightsValue $policy.Key}else {$currentValue = Get-CurrentPolicyValue $policy.Path $policy.Key}$item = New-Object System.Windows.Forms.ListViewItem("")$item.SubItems.Add($policy.Name) | Out-Null$item.SubItems.Add([string]$currentValue) | Out-Null$item.SubItems.Add($policy.Value) | Out-Null$item.SubItems.Add($policy.Type) | Out-Null$item.SubItems.Add($policy.Description) | Out-Null$item.Tag = $policy# 对于用户权限分配，检查是否匹配if ($policy.Type -eq "USER_RIGHTS") {$item.Checked = ($currentValue -eq $policy.Value)}else {$item.Checked = ($currentValue -eq $policy.Value)}$listView.Items.Add($item) | Out-Null}$tabPage.Controls.Add($listView)$tabControl.TabPages.Add($tabPage)
}# 状态栏
$statusLabel = New-Object System.Windows.Forms.Label
$statusLabel.Location = New-Object System.Drawing.Point(10, 640)
$statusLabel.Size = New-Object System.Drawing.Size(700, 20)
$statusLabel.Text = "就绪 - 双击用户权限策略可编辑具体用户"
$form.Controls.Add($statusLabel)# 进度条
$progressBar = New-Object System.Windows.Forms.ProgressBar
$progressBar.Location = New-Object System.Drawing.Point(720, 640)
$progressBar.Size = New-Object System.Drawing.Size(350, 20)
$progressBar.Style = [System.Windows.Forms.ProgressBarStyle]::Continuous
$form.Controls.Add($progressBar)# 按钮区域
$buttonPanel = New-Object System.Windows.Forms.Panel
$buttonPanel.Location = New-Object System.Drawing.Point(10, 540)
$buttonPanel.Size = New-Object System.Drawing.Size(1060, 90)
$buttonPanel.Anchor = 'Bottom, Left, Right'$applyButton = New-Object System.Windows.Forms.Button
$applyButton.Location = New-Object System.Drawing.Point(20, 10)
$applyButton.Size = New-Object System.Drawing.Size(120, 40)
$applyButton.Text = "应用选中策略"
$applyButton.BackColor = [System.Drawing.Color]::LightGreen
$applyButton.Font = New-Object System.Drawing.Font("Microsoft Sans Serif", 10, [System.Drawing.FontStyle]::Bold)$backupButton = New-Object System.Windows.Forms.Button
$backupButton.Location = New-Object System.Drawing.Point(160, 10)
$backupButton.Size = New-Object System.Drawing.Size(120, 40)
$backupButton.Text = "备份设置"$restoreButton = New-Object System.Windows.Forms.Button
$restoreButton.Location = New-Object System.Drawing.Point(300, 10)
$restoreButton.Size = New-Object System.Drawing.Size(120, 40)
$restoreButton.Text = "恢复备份"$refreshButton = New-Object System.Windows.Forms.Button
$refreshButton.Location = New-Object System.Drawing.Point(440, 10)
$refreshButton.Size = New-Object System.Drawing.Size(120, 40)
$refreshButton.Text = "刷新状态"$editButton = New-Object System.Windows.Forms.Button
$editButton.Location = New-Object System.Drawing.Point(580, 10)
$editButton.Size = New-Object System.Drawing.Size(150, 40)
$editButton.Text = "编辑用户权限"
$editButton.BackColor = [System.Drawing.Color]::LightBlue$buttonPanel.Controls.AddRange(@($applyButton, $backupButton, $restoreButton, $refreshButton, $editButton))
$form.Controls.Add($tabControl)
$form.Controls.Add($buttonPanel)# 事件处理
$applyButton.Add_Click({ Apply-SelectedPolicies })
$backupButton.Add_Click({ Backup-Policies })
$restoreButton.Add_Click({ Restore-Policies })
$refreshButton.Add_Click({ Refresh-PolicyStatus })
$editButton.Add_Click({ Edit-UserRights })
$userRightsEditorItem.Add_Click({ Edit-UserRights })# 双击编辑用户权限
$tabControl.Add_SelectedIndexChanged({$currentTab = $tabControl.SelectedTabif ($currentTab.Text -eq "用户权限分配") {$listView = $currentTab.Controls[0]$listView.Add_DoubleClick({if ($listView.SelectedItems.Count -gt 0) {$item = $listView.SelectedItems[0]$policy = $item.Tagif ($policy.Type -eq "USER_RIGHTS") {$newUsers = Show-UserRightsEditor $policy.Name $policy.Valueif ($newUsers -ne $null) {$policy.Value = $newUsers$item.SubItems[3].Text = $newUsers$item.Checked = $false}}}})}
})function Edit-UserRights {$currentTab = $tabControl.SelectedTabif ($currentTab.Text -eq "用户权限分配" -and $currentTab.Controls[0].SelectedItems.Count -gt 0) {$item = $currentTab.Controls[0].SelectedItems[0]$policy = $item.Tagif ($policy.Type -eq "USER_RIGHTS") {$newUsers = Show-UserRightsEditor $policy.Name $policy.Valueif ($newUsers -ne $null) {$policy.Value = $newUsers$item.SubItems[3].Text = $newUsers$item.Checked = $false}}}else {[System.Windows.Forms.MessageBox]::Show("请在'用户权限分配'选项卡中选择一个策略进行编辑", "提示", "OK", "Information")}
}# 其他菜单事件
$backupItem.Add_Click({ Backup-Policies })
$restoreItem.Add_Click({ Restore-Policies })
$refreshItem.Add_Click({ Refresh-PolicyStatus })
$applyItem.Add_Click({ Apply-SelectedPolicies })
$exitItem.Add_Click({ $form.Close() })$aboutItem.Add_Click({[System.Windows.Forms.MessageBox]::Show("组策略图形化管理工具 v2.0`n包含用户权限分配功能`n作者: AI Assistant`n创建时间: 2024", "关于")
})# 初始化
Refresh-PolicyStatus
$form.Add_Shown({$form.Activate()})# 运行窗体
[System.Windows.Forms.Application]::Run($form)