trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
2c2ec3ab818891c669e9fd848548352e6d217312
DetectionLab/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/gpreport.xml
Chris Long 1577341ce9 Initial commit
2017-12-11 08:49:25 -08:00

243 lines
26 KiB
XML
Executable File
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?xml version="1.0" encoding="utf-16"?>
<GPO xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.microsoft.com/GroupPolicy/Settings">
<Identifier>
<Identifier xmlns="http://www.microsoft.com/GroupPolicy/Types">{52384B72-F463-4CF8-8432-C2E23FFC87C6}</Identifier>
<Domain xmlns="http://www.microsoft.com/GroupPolicy/Types">windomain.local</Domain>
</Identifier>
<Name>Powershell Logging</Name>
<IncludeComments>true</IncludeComments>
<CreatedTime>2017-04-20T00:31:46</CreatedTime>
<ModifiedTime>2017-04-20T00:39:56</ModifiedTime>
<ReadTime>2017-04-20T00:41:04.7240971Z</ReadTime>
<SecurityDescriptor>
<SDDL xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">O:S-1-5-21-4167842404-2528019904-656423439-1000G:DUD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-4167842404-2528019904-656423439-1000)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-4167842404-2528019904-656423439-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)</SDDL>
<Owner xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-4167842404-2528019904-656423439-1000</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">WINDOMAIN\vagrant</Name>
</Owner>
<Group xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-4167842404-2528019904-656423439-513</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">WINDOMAIN\Domain Users</Name>
</Group>
<PermissionsPresent xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">true</PermissionsPresent>
<Permissions xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">
<InheritsFromParent>false</InheritsFromParent>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-4167842404-2528019904-656423439-519</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">WINDOMAIN\Enterprise Admins</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>true</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Edit, delete, modify security</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-4167842404-2528019904-656423439-1000</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">WINDOMAIN\vagrant</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>false</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Edit, delete, modify security</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-9</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>true</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Read</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-18</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">NT AUTHORITY\SYSTEM</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>true</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Edit, delete, modify security</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-11</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">NT AUTHORITY\Authenticated Users</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>true</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Apply Group Policy</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
<TrusteePermissions>
<Trustee>
<SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-4167842404-2528019904-656423439-512</SID>
<Name xmlns="http://www.microsoft.com/GroupPolicy/Types">WINDOMAIN\Domain Admins</Name>
</Trustee>
<Type xsi:type="PermissionType">
<PermissionType>Allow</PermissionType>
</Type>
<Inherited>false</Inherited>
<Applicability>
<ToSelf>true</ToSelf>
<ToDescendantObjects>false</ToDescendantObjects>
<ToDescendantContainers>true</ToDescendantContainers>
<ToDirectDescendantsOnly>false</ToDirectDescendantsOnly>
</Applicability>
<Standard>
<GPOGroupedAccessEnum>Edit, delete, modify security</GPOGroupedAccessEnum>
</Standard>
<AccessMask>0</AccessMask>
</TrusteePermissions>
</Permissions>
<AuditingPresent xmlns="http://www.microsoft.com/GroupPolicy/Types/Security">false</AuditingPresent>
</SecurityDescriptor>
<FilterDataAvailable>true</FilterDataAvailable>
<Computer>
<VersionDirectory>2</VersionDirectory>
<VersionSysvol>2</VersionSysvol>
<Enabled>true</Enabled>
<ExtensionData>
<Extension xmlns:q1="http://www.microsoft.com/GroupPolicy/Settings/Registry" xsi:type="q1:RegistrySettings">
<q1:Policy>
<q1:Name>Turn on Module Logging</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>
This policy setting allows you to turn on logging for Windows PowerShell modules.
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.
If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False.
If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False.
To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
</q1:Explain>
<q1:Supported>At least Microsoft Windows 7 or Windows Server 2008 family</q1:Supported>
<q1:Category>Windows Components/Windows PowerShell</q1:Category>
<q1:Text>
<q1:Name>To turn on logging for one or more modules, click Show, and then type the module names in the list. Wildcards are supported.</q1:Name>
</q1:Text>
<q1:ListBox>
<q1:Name>Module Names</q1:Name>
<q1:State>Enabled</q1:State>
<q1:ExplicitValue>false</q1:ExplicitValue>
<q1:Additive>false</q1:Additive>
<q1:Value>
<q1:Element>
<q1:Data>*</q1:Data>
</q1:Element>
</q1:Value>
</q1:ListBox>
<q1:Text>
<q1:Name>To turn on logging for the Windows PowerShell core modules, type the following module names in the list:</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Microsoft.PowerShell.*</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Microsoft.WSMan.Management</q1:Name>
</q1:Text>
</q1:Policy>
<q1:Policy>
<q1:Name>Turn on PowerShell Transcription</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other
applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents
directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent
to calling the Start-Transcript cmdlet on each Windows PowerShell session.
If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled
through the Start-Transcript cmdlet.
If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users
from viewing the transcripts of other users or computers.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
</q1:Explain>
<q1:Supported>At least Microsoft Windows 7 or Windows Server 2008 family</q1:Supported>
<q1:Category>Windows Components/Windows PowerShell</q1:Category>
<q1:EditText>
<q1:Name>Transcript output directory</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>\\wef.windomain.local\pslogs</q1:Value>
</q1:EditText>
<q1:CheckBox>
<q1:Name>Include invocation headers:</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
</Extension>
<Name>Registry</Name>
</ExtensionData>
</Computer>
<User>
<VersionDirectory>0</VersionDirectory>
<VersionSysvol>0</VersionSysvol>
<Enabled>true</Enabled>
</User>
<LinksTo>
<SOMName>windomain</SOMName>
<SOMPath>windomain.local</SOMPath>
<Enabled>true</Enabled>
<NoOverride>false</NoOverride>
</LinksTo>
</GPO>
Reference in New Issue View Git Blame Copy Permalink