question

AlbertPang-7301 avatar image
0 Votes"
AlbertPang-7301 asked ·

SCCM 1906 - Local Computer Policy settings

In SCCM 1906, is there a way to find out which computers have a Local Computer Policy set?

"Deny access to this computer from the network" is under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

Normally "Guest" is the only account which is denied access through this policy.

Is there a way to discover computers which have other accounts listed in this policy?
Or discover computers which have a specific account listed in this policy?

mem-cm-generalmsc-essentials-generalmsc-essentials-monitoring
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

XinGuo-MSFT avatar image
0 Votes"
XinGuo-MSFT answered ·

Hi,

I'm afraid we can't get this list.

User Rights security settings are not registry keys. Security information is stored in templates (.inf files) or in the Secedit.sdb database.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/security-policy-settings#security-settings-policies-and-group-policy


FYI: We could use the Domain Policy override the Local Policy.



If the response is helpful, please click "Accept Answer" and upvote it.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just because it's not a registry value doesn't mean it can't be queried. The built-in Windows tool secedit will query this and the output from secedit can easily be parsed using PowerShell: https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings/. This can then be run using a script in ConfigMgr, a configuration baseline, or even used to populate a custom WMI Class which can then be inventoried by ConfigMgr.

0 Votes 0 ·