New Security Cmdlets in Nano Server

In Windows Server 2016 TP5, we included two new cmdlets to help manage security policy settings. While they are present on every install option of Windows Server, these are mostly useful on Nano Server because Nano Server does not support Group Policy.

Security-related settings include two different kinds of artifacts.

• .INF files containing security policy template settings. These are handled by the “securityCmdlets”(*) module that ships in Technical Preview 5

• .CSV files containing advanced audit settings. these are handled by the “securityCmdlets”(*) module that ships in Technical Preview 5

(*) – “securityCmdlets” is a temporary name for TP5. These modules will be renamed in a later release of Windows Server, which will be a breaking change. Please be aware any scripts that use this module will have to change for future releases of Windows Server 2016.

.INF files can be generated by SecEdit.exe on a Server with Desktop Experience or Server Core installation, or they can be generated with Backup-SecurityPolicy.

.CSV files can be generated by AuditPol.exe on a Server with Desktop Experience or Server Core installation, or they can be generated with Backup-AuditPolicy.

You can remotely invoke the following to import both advanced audit and security template settings to your Nano Server installation:

    Import-Module SecurityCmdlets

    #replace this string with the path to the .INF file

    $SecInf = "c:\GPO\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"

    $AuditCsv = "c:\GPO\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"

     

    Restore-SecurityPolicy -Path $secInf

    Restore-AuditPolicy -Path $auditCsv