代码之家  ›  专栏  ›  技术社区  ›  Seth Petry-Johnson

如何使用.NET应用Windows组策略?

  •  6
  • Seth Petry-Johnson  · 技术社区  · 15 年前

    是否可以使用.NET应用(和删除)Windows组策略设置?

    暂时 把一台机器放进一个受限的,类似亭的状态。我需要控制的事情之一是访问USB驱动器,我相信我可以通过组策略来实现。我希望我的应用程序在启动时设置策略,并在退出时还原更改。。。这是我可以通过.NETFramework调用实现的吗?

    这些是我的主要要求:

    • 标识用户操作何时被策略拒绝并记录它。
      • 可以记录到系统安全日志。
    4 回复  |  直到 15 年前
        1
  •  4
  •   Arseni Mourzenko    13 年前

    尝试使用 IGroupPolicyObject

    bool SetGroupPolicy(HKEY hKey, LPCTSTR subKey, LPCTSTR valueName, DWORD dwType, const BYTE* szkeyValue, DWORD dwkeyValue)
    {
        CoInitialize(NULL);
        HKEY ghKey, ghSubKey, hSubKey;
        LPDWORD flag = NULL;
        IGroupPolicyObject *pGPO = NULL;
        HRESULT hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL, CLSCTX_ALL, IID_IGroupPolicyObject, (LPVOID*)&pGPO);
    
        if(!SUCCEEDED(hr))
        {
            MessageBox(NULL, L"Failed to initialize GPO", L"", S_OK);
        }
    
        if (RegCreateKeyEx(hKey, subKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hSubKey, flag) != ERROR_SUCCESS)
        {
            return false;
            CoUninitialize();
        }
    
        if(dwType == REG_SZ)
        {
            if(RegSetValueEx(hSubKey, valueName, 0, dwType, szkeyValue, strlen((char*)szkeyValue) + 1) != ERROR_SUCCESS)
            {
                RegCloseKey(hSubKey);
                CoUninitialize();
                return false;
            }
        }
    
        else if(dwType == REG_DWORD)
        {
            if(RegSetValueEx(hSubKey, valueName, 0, dwType, (BYTE*)&dwkeyValue, sizeof(dwkeyValue)) != ERROR_SUCCESS)
            {
                RegCloseKey(hSubKey);
                CoUninitialize();
                return false;
            }
        }
    
        if(!SUCCEEDED(hr))
        {
            MessageBox(NULL, L"Failed to initialize GPO", L"", S_OK);
            CoUninitialize();
            return false;
        }
    
        if(pGPO->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY) != S_OK)
        {
            MessageBox(NULL, L"Failed to get the GPO mapping", L"", S_OK);
            CoUninitialize();
            return false;
        }
    
        if(pGPO->GetRegistryKey(GPO_SECTION_USER,&ghKey) != S_OK)
        {
            MessageBox(NULL, L"Failed to get the root key", L"", S_OK);
            CoUninitialize();
            return false;
        }
    
        if(RegCreateKeyEx(ghKey, subKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &ghSubKey, flag) != ERROR_SUCCESS)
        {
            RegCloseKey(ghKey);
            MessageBox(NULL, L"Cannot create key", L"", S_OK);
            CoUninitialize();
            return false;
        }
    
        if(dwType == REG_SZ)
        {
            if(RegSetValueEx(ghSubKey, valueName, 0, dwType, szkeyValue, strlen((char*)szkeyValue) + 1) != ERROR_SUCCESS)
            {
                RegCloseKey(ghKey);
                RegCloseKey(ghSubKey);
                MessageBox(NULL, L"Cannot create sub key", L"", S_OK);
                CoUninitialize();
                return false;
            }
        }
    
        else if(dwType == REG_DWORD)
        {
            if(RegSetValueEx(ghSubKey, valueName, 0, dwType, (BYTE*)&dwkeyValue, sizeof(dwkeyValue)) != ERROR_SUCCESS)
            {
                RegCloseKey(ghKey);
                RegCloseKey(ghSubKey);
                MessageBox(NULL, L"Cannot set value", L"", S_OK);
                CoUninitialize();
                return false;
            }
        }
    
        if(pGPO->Save(false, true, const_cast<GUID*>(&EXTENSION_GUID), const_cast<GUID*>(&CLSID_GPESnapIn)) != S_OK)
        {
            RegCloseKey(ghKey);
            RegCloseKey(ghSubKey);
            MessageBox(NULL, L"Save failed", L"", S_OK);
            CoUninitialize();
            return false;
        }
    
        pGPO->Release();
        RegCloseKey(ghKey);
        RegCloseKey(ghSubKey);
        CoUninitialize();
        return true;
    }
    

    你可以这样调用这个函数。。

    // Remove the Log Off in start menu
    SetGroupPolicy(HKEY_CURRENT_USER,
        L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        L"StartMenuLogOff", REG_DWORD, NULL, 1);
    
        2
  •  3
  •   Jonik    13 年前

    注意:我使用两个GroupPolicy程序集引用: C:\Windows\assembly\GAC\u 32\Microsoft.GroupPolicy.Management.Interop\2.0.0.0\u 31bf3856ad364e35\Microsoft.GroupPolicy.Management.Interop.dll 这是framework 2.0,所以有混合代码,您必须使用app.config: http://msmvps.com/blogs/rfennell/archive/2010/03/27/mixed-mode-assembly-is-built-against-version-v2-0-50727-error-using-net-4-development-web-server.aspx

    using System.Collections.ObjectModel;
    using Microsoft.GroupPolicy;
    using Microsoft.Win32;
    
    /// <summary>
    /// Change user's registry policy
    /// </summary>
    /// <param name="gpoName">The name of Group Policy Object(DisplayName)</param>
    /// <param name="keyPath">Is KeyPath(like string path=@"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")</param>
    /// <param name="typeOfKey">DWord, ExpandString,... e.t.c </param>
    /// <param name="parameterName">Name of parameter</param>
    /// <param name="value">Value</param>
    /// <returns>result: true\false</returns>
    public bool ChangePolicyUser(string gpoName, string keyPath, RegistryValueKind typeOfKey, string parameterName, object value)
        {
            try
            {
                RegistrySetting newSetting = new PolicyRegistrySetting();
                newSetting.Hive = RegistryHive.CurrentUser;
                newSetting.KeyPath = keyPath;
                bool contains = false;
                //newSetting.SetValue(parameterName, value, typeOfKey);
                switch (typeOfKey)
                {
                    case RegistryValueKind.String:
                        newSetting.SetValue(parameterName, (string)value, typeOfKey);
                        break;
                    case RegistryValueKind.ExpandString:
                        newSetting.SetValue(parameterName, (string)value, typeOfKey);
                        break;
                    case RegistryValueKind.DWord:
                        newSetting.SetValue(parameterName, (Int32)value);
                        break;
                    case RegistryValueKind.QWord:
                        newSetting.SetValue(parameterName, (Int64)value);
                        break;
                    case RegistryValueKind.Binary:
                        newSetting.SetValue(parameterName, (byte[])value);
                        break;
                    case RegistryValueKind.MultiString:
                        newSetting.SetValue(parameterName, (string[])value, typeOfKey);
                        break;
                }
                Gpo gpoTarget = _gpDomain.GetGpo(gpoName);
                RegistryPolicy registry = gpoTarget.User.Policy.GetRegistry(false);
                try
                {
                    ReadOnlyCollection<RegistryItem> items = gpoTarget.User.Policy.GetRegistry(false).Read(newSetting.Hive, keyPath);
                    foreach (RegistryItem item in items)
                    {
                        if (((RegistrySetting) item).ValueName == parameterName)
                        {
                            contains = true;
                        }
                    }
                    registry.Write((PolicyRegistrySetting) newSetting, !contains);
                    registry.Save(false);
                    return true;
                }
                catch (ArgumentException)
                {
                    registry.Write((PolicyRegistrySetting)newSetting, contains);
                    registry.Save(true);
                    return true;
                }
            }
            catch (Exception)
            {
                return false;
            }
        }