{"id":208101,"date":"2023-09-13T11:34:27","date_gmt":"2023-09-13T11:34:27","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/disabilitare-gli-strumenti-di-amministrazione-locale-in-windows-con-powershell\/"},"modified":"2024-03-04T17:06:20","modified_gmt":"2024-03-04T17:06:20","slug":"disabilitare-gli-strumenti-di-amministrazione-locale-in-windows-con-powershell","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaonesandbox.dev\/it\/script-hub\/disabilitare-gli-strumenti-di-amministrazione-locale-in-windows-con-powershell\/","title":{"rendered":"Come disabilitare gli strumenti di amministrazione locale in Windows [script PowerShell]"},"content":{"rendered":"

Attenzione, professionista IT e fornitore di servizi gestiti (MSP): Se sei stato incaricato di mantenere la sicurezza della rete e l’accesso amministrativo, devi sapere che spesso \u00e8 pi\u00f9 facile a dirsi che a farsi. Un aspetto fondamentale \u00e8 la gestione degli strumenti di amministrazione locale a cui gli utenti non dovrebbero avere libero accesso. Questo ci porta a una domanda che viene spesso posta: Come puoi disabilitare gli strumenti di amministrazione locale<\/strong> su larga scala?<\/span>\u00a0<\/span><\/p>\n

Abbiamo uno script PowerShell completo che consente di disabilitare gli strumenti di amministrazione locale in modo selettivo in ambiente Windows.\u00a0<\/span><\/p>\n

Lo script PowerShell per disabilitare gli strumenti di amministrazione locale<\/h2>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    This will disable the selected administrator tools depending on your selection (Defaults to all). Can be given a comma seperated list\/string of tools to be disabled.\r\n    Can also be given a comma seperated list of users to exclude from this action. Full Options: \"All\", \"Cmd\", \"ControlPanel\", \"MMC\", \"RegistryEditor\", \"Run\", \"TaskMgr\"\r\n.DESCRIPTION\r\n    This will disable the selected administrator tools. The options are \"All\", the command prompt, the control panel, the microsoft management console,\r\n    the registry editor, the run command window and task manager. You can give it a comma seperated list of items if you want to disable some but not all.\r\n    Exit 1 is usually an indicator of bad input but can also mean editing the registry is blocked.\r\n.EXAMPLE\r\n    PS C:> .Disable-LocalAdminTools.ps1 -Tools \"MMC,Cmd,TaskMgr,RegistryEditor\"\r\n    Disabling MMC...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwarePoliciesMicrosoftMMCRestrictToPermittedSnapins to...\r\n    Disabling Cmd...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwarePoliciesMicrosoftWindowsDisableCMD to...\r\n    Disabling TaskMgr...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr to...\r\n    Disabling RegistryEditor...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools to...\r\n.OUTPUTS\r\n    None\r\n.NOTES\r\n    General notes: Will set the regkeys for users created after this script is ran.\r\n    Release Notes:\r\n    Initial Release\r\n    (c) 2023 NinjaOne\r\n    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaonesandbox.dev\/it\/condizioni-utilizzo\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [Parameter()]\r\n    [String]$Tools = \"All\",\r\n    [Parameter()]\r\n    [String]$ExcludedUsers\r\n    <#\r\n        ## ParameterName Requirement DefaultValue Type Options Description ##\r\n        All Optional true CHECKBOX All Admin Tools\r\n        Cmd Optional false CHECKBOX Command Prompt\r\n        ControlPanel Optional false CHECKBOX Control Panel\r\n        MMC Optional false CHECKBOX Microsoft Managment Console\r\n        RegistryEditor Optional false CHECKBOX The Registry Editor\r\n        Run Optional false CHECKBOX Run Command Window\r\n        TaskMgr Optional false CHECKBOX Task Manager\r\n        ExcludedUsers Optional none TEXT Comma seperated list of users you would like to exclude.\r\n    #>\r\n)\r\n\r\nbegin {\r\n    # Lets double check that this script is being run appropriately\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n\r\n    function Test-IsSystem {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        return $id.Name -like \"NT AUTHORITY*\" -or $id.IsSystem\r\n    }\r\n\r\n    if (!(Test-IsElevated) -and !(Test-IsSystem)) {\r\n        Write-Error -Message \"[Error] Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n\r\n    # Setting up some functions to be used later.\r\n    function Set-HKProperty {\r\n        param (\r\n            $Path,\r\n            $Name,\r\n            $Value,\r\n            [ValidateSet('DWord', 'QWord', 'String', 'ExpandedString', 'Binary', 'MultiString', 'Unknown')]\r\n            $PropertyType = 'DWord'\r\n        )\r\n        if (-not $(Test-Path -Path $Path)) {\r\n            # Check if path does not exist and create the path\r\n            New-Item -Path $Path -Force | Out-Null\r\n        }\r\n        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {\r\n            # Update property and print out what it was changed from and changed to\r\n            $CurrentValue = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore\r\n            try {\r\n                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"$Path$Name changed from $CurrentValue to $(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)\"\r\n        }\r\n        else {\r\n            # Create property with value\r\n            try {\r\n                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"Set $Path$Name to $(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)\"\r\n        }\r\n    }\r\n\r\n    # This will get all the registry path's for all actual users (not system or network service account but actual users.)\r\n    function Get-UserHives {\r\n        param (\r\n            [Parameter()]\r\n            [ValidateSet('AzureAD', 'DomainAndLocal', 'All')]\r\n            [String]$Type = \"All\",\r\n            [Parameter()]\r\n            [String[]]$ExcludedUsers,\r\n            [Parameter()]\r\n            [switch]$IncludeDefault\r\n        )\r\n\r\n        # User account SID's follow a particular patter depending on if they're azure AD or a Domain account or a local \"workgroup\" account.\r\n        $Patterns = switch ($Type) {\r\n            \"AzureAD\" { \"S-1-12-1-(d+-?){4}$\" }\r\n            \"DomainAndLocal\" { \"S-1-5-21-(d+-?){4}$\" }\r\n            \"All\" { \"S-1-12-1-(d+-?){4}$\" ; \"S-1-5-21-(d+-?){4}$\" } \r\n        }\r\n\r\n        # We'll need the NTuser.dat file to load each users registry hive. So we grab it if their account sid matches the above pattern. \r\n        $UserProfiles = Foreach ($Pattern in $Patterns) { \r\n            Get-ItemProperty \"HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*\" |\r\n                Where-Object { $_.PSChildName -match $Pattern } | \r\n                Select-Object @{Name = \"SID\"; Expression = { $_.PSChildName } }, \r\n                @{Name = \"UserHive\"; Expression = { \"$($_.ProfileImagePath)NTuser.dat\" } }, \r\n                @{Name = \"UserName\"; Expression = { \"$($_.ProfileImagePath | Split-Path -Leaf)\" } }\r\n        }\r\n\r\n        # There are some situations where grabbing the .Default user's info is needed.\r\n        switch ($IncludeDefault) {\r\n            $True {\r\n                $DefaultProfile = \"\" | Select-Object UserName, SID, UserHive\r\n                $DefaultProfile.UserName = \"Default\"\r\n                $DefaultProfile.SID = \"DefaultProfile\"\r\n                $DefaultProfile.Userhive = \"$env:SystemDriveUsersDefaultNTUSER.DAT\"\r\n\r\n                # It was easier to write-output twice than combine the two objects.\r\n                $DefaultProfile | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output\r\n            }\r\n        }\r\n\r\n        $UserProfiles | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output\r\n    }\r\n\r\n    function Set-Tool {\r\n        [CmdletBinding()]\r\n        param(\r\n            [Parameter()]\r\n            [ValidateSet(\"All\", \"Cmd\", \"ControlPanel\", \"MMC\", \"RegistryEditor\", \"Run\", \"TaskMgr\")]\r\n            [string]$Tool,\r\n            [string]$key\r\n        )\r\n        process {\r\n            # Each option has a different registry key to change. Since this function only supports 1 item at a time I can check which option and set the regkey individually.\r\n            Write-Host \"Disabling $Tool...\"\r\n            switch ($Tool) {\r\n                \"Cmd\" { Set-HKProperty -Path $keySoftwarePoliciesMicrosoftWindowsSystem -Name DisableCMD -Value 1 }\r\n                \"ControlPanel\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoControlPanel -Value 1 }\r\n                \"MMC\" { Set-HKProperty -Path $keySoftwarePoliciesMicrosoftMMC -Name RestrictToPermittedSnapins -Value 1 }\r\n                \"RegistryEditor\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableRegistryTools -Value 1 }\r\n                \"Run\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoRun -Value 1 }\r\n                \"TaskMgr\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableTaskMgr -Value 1 }\r\n                \"All\" {\r\n                    Set-HKProperty -Path $keySoftwarePoliciesMicrosoftWindowsSystem -Name DisableCMD -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name NoDispCPL -Value 1\r\n                    Set-HKProperty -Path $keySoftwarePoliciesMicrosoftMMC -Name RestrictToPermittedSnapins -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableRegistryTools -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoRun -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableTaskMgr -Value 1\r\n                }\r\n            }\r\n        }\r\n    }\r\n}\r\nprocess {\r\n\r\n    # Get each user profile SID and Path to the profile. If there are any exclusions we'll have to take them into account.\r\n    if($ExcludedUsers -or $env:ExcludedUsers){\r\n        if($env:ExcludedUsers){\r\n            $ToBeExcluded = @()\r\n            $ToBeExcluded += $env:ExcludedUsers.split(\",\").trim()\r\n            Write-Warning \"The Following Users will not have your selected tools disabled. $ToBeExcluded\"\r\n        }else{\r\n            $ToBeExcluded = @()\r\n            $ToBeExcluded += $ExcludedUsers.split(\",\").trim()\r\n            Write-Warning \"The Following Users will not have your selected tools disabled. $ToBeExcluded\"\r\n        }\r\n        $UserProfiles = Get-UserHives -IncludeDefault -ExcludedUsers $ToBeExcluded\r\n    }else{\r\n        $UserProfiles = Get-UserHives -IncludeDefault\r\n    }\r\n\r\n    # Loop through each profile on the machine\r\n    Foreach ($UserProfile in $UserProfiles) {\r\n        # Load each user's registry hive if not already loaded. Backticked \"UserProfile.UserHive\" so that it accounts for spaces in the username.\r\n        If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS$($UserProfile.SID)) -eq $false) {\r\n            Start-Process -FilePath \"cmd.exe\" -ArgumentList \"\/C reg.exe LOAD HKU$($UserProfile.SID) `\"$($UserProfile.UserHive)`\"\" -Wait -WindowStyle Hidden\r\n        }\r\n        # The path is different for each individual user. This is the base path.\r\n        $key = \"Registry::HKEY_USERS$($UserProfile.SID)\"\r\n\r\n        # List of checkbox items\r\n        $CheckboxItems = \"Cmd\", \"ControlPanel\", \"MMC\", \"RegistryEditor\", \"Run\", \"TaskMgr\"\r\n        # Checkboxes come in as environmental variables. This'll grab the ones that were selected (if any)\r\n        $EnvItems = Get-ChildItem env:* | Where-Object { $CheckboxItems -contains $_.Name }\r\n\r\n        # This will grab the tool selections from the parameter field. Since it comes in as a string we'll have to split it up.\r\n        $Tool = $Tools.split(\",\").trim()\r\n\r\n        # If the checkbox for all was selected I can just run the function once instead of running it repeatedly for the same thing.\r\n        if ($env:All) {\r\n            Set-Tool -Tool \"All\" -Key $key\r\n        }elseif ($EnvItems) {\r\n            # If checkboxes were used we should just use those.\r\n            $EnvItems | ForEach-Object { Set-Tool -Tool $_.Name -Key $key }\r\n        }else {\r\n            $Tool | ForEach-Object { Set-Tool -Tool $_ -Key $key }\r\n        }\r\n\r\n        # Unload NTuser.dat for user's we loaded previously.\r\n        If ($ProfileWasLoaded -eq $false) {\r\n            [gc]::Collect()\r\n            Start-Sleep -Seconds 1\r\n            Start-Process -FilePath \"cmd.exe\" -ArgumentList \"\/C reg.exe UNLOAD HKU$($UserProfile.SID)\" -Wait -WindowStyle Hidden | Out-Null\r\n        }\r\n    }\r\n    \r\n}\r\nend {\r\n    \r\n}<\/pre>\n
|<\/p>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    This will disable the selected administrator tools depending on your selection (Defaults to all). Can be given a comma separated list of users to exclude from this action.\r\n.DESCRIPTION\r\n    This will disable the selected administrator tools. The options are \"All\", the command prompt, the control panel, the microsoft management console,\r\n    the registry editor, the run command window and task manager. You can give it a comma separated list of items if you want to disable some but not all.\r\n    Exit 1 is usually an indicator of bad input but can also mean editing the registry is blocked.\r\n.EXAMPLE\r\n    PS C:> .Disable-LocalAdminTools.ps1 -Tools \"MMC,Cmd,TaskMgr,RegistryEditor\"\r\n    Disabling MMC...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwarePoliciesMicrosoftMMCRestrictToPermittedSnapins to...\r\n    Disabling Cmd...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwarePoliciesMicrosoftWindowsDisableCMD to...\r\n    Disabling TaskMgr...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr to...\r\n    Disabling RegistryEditor...\r\n    Set Registry::HKEY_USERSDefaultProfileSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools to...\r\n.OUTPUTS\r\n    None\r\n.NOTES\r\n    Minimum Supported OS: Windows 10, Windows Server 2016+\r\n    Release Notes: Renamed script and added Script Variable support\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaonesandbox.dev\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [Parameter()]\r\n    [String]$Tools = \"All\",\r\n    [Parameter()]\r\n    [String]$ExcludedUsers\r\n)\r\n\r\nbegin {\r\n    \r\n    if ($env:excludeUsers -and $env:excludeUsers -notlike \"null\") { $ExcludedUsers = $env:excludeUsers }\r\n    \r\n    # Lets double check that this script is being run appropriately\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n\r\n    function Test-IsSystem {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        return $id.Name -like \"NT AUTHORITY*\" -or $id.IsSystem\r\n    }\r\n\r\n    if (!(Test-IsElevated) -and !(Test-IsSystem)) {\r\n        Write-Error -Message \"[Error] Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n\r\n    # Setting up some functions to be used later.\r\n    function Set-HKProperty {\r\n        param (\r\n            $Path,\r\n            $Name,\r\n            $Value,\r\n            [ValidateSet('DWord', 'QWord', 'String', 'ExpandedString', 'Binary', 'MultiString', 'Unknown')]\r\n            $PropertyType = 'DWord'\r\n        )\r\n        if (-not $(Test-Path -Path $Path)) {\r\n            # Check if path does not exist and create the path\r\n            New-Item -Path $Path -Force | Out-Null\r\n        }\r\n        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {\r\n            # Update property and print out what it was changed from and changed to\r\n            $CurrentValue = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore\r\n            try {\r\n                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"$Path$Name changed from $CurrentValue to $(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)\"\r\n        }\r\n        else {\r\n            # Create property with value\r\n            try {\r\n                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error \"[Error] Unable to Set registry key for $Name please see below error!\"\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"Set $Path$Name to $(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)\"\r\n        }\r\n    }\r\n\r\n    # This will get all the registry path's for all actual users (not system or network service account but actual users.)\r\n    function Get-UserHives {\r\n        param (\r\n            [Parameter()]\r\n            [ValidateSet('AzureAD', 'DomainAndLocal', 'All')]\r\n            [String]$Type = \"All\",\r\n            [Parameter()]\r\n            [String[]]$ExcludedUsers,\r\n            [Parameter()]\r\n            [switch]$IncludeDefault\r\n        )\r\n\r\n        # User account SID's follow a particular patter depending on if they're azure AD or a Domain account or a local \"workgroup\" account.\r\n        $Patterns = switch ($Type) {\r\n            \"AzureAD\" { \"S-1-12-1-(d+-?){4}$\" }\r\n            \"DomainAndLocal\" { \"S-1-5-21-(d+-?){4}$\" }\r\n            \"All\" { \"S-1-12-1-(d+-?){4}$\" ; \"S-1-5-21-(d+-?){4}$\" } \r\n        }\r\n\r\n        # We'll need the NTuser.dat file to load each users registry hive. So we grab it if their account sid matches the above pattern. \r\n        $UserProfiles = Foreach ($Pattern in $Patterns) { \r\n            Get-ItemProperty \"HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*\" |\r\n                Where-Object { $_.PSChildName -match $Pattern } | \r\n                Select-Object @{Name = \"SID\"; Expression = { $_.PSChildName } }, \r\n                @{Name = \"UserHive\"; Expression = { \"$($_.ProfileImagePath)NTuser.dat\" } }, \r\n                @{Name = \"UserName\"; Expression = { \"$($_.ProfileImagePath | Split-Path -Leaf)\" } }\r\n        }\r\n\r\n        # There are some situations where grabbing the .Default user's info is needed.\r\n        switch ($IncludeDefault) {\r\n            $True {\r\n                $DefaultProfile = \"\" | Select-Object UserName, SID, UserHive\r\n                $DefaultProfile.UserName = \"Default\"\r\n                $DefaultProfile.SID = \"DefaultProfile\"\r\n                $DefaultProfile.Userhive = \"$env:SystemDriveUsersDefaultNTUSER.DAT\"\r\n\r\n                # It was easier to write-output twice than combine the two objects.\r\n                $DefaultProfile | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output\r\n            }\r\n        }\r\n\r\n        $UserProfiles | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output\r\n    }\r\n\r\n    function Set-Tool {\r\n        [CmdletBinding()]\r\n        param(\r\n            [Parameter()]\r\n            [ValidateSet(\"All\", \"Cmd\", \"ControlPanel\", \"theControlPanel\", \"MMC\", \"RegistryEditor\", \"theRegistryEditor\", \"Run\", \"TaskMgr\", \"taskManager\")]\r\n            [string]$Tool,\r\n            [string]$key\r\n        )\r\n        process {\r\n            # Each option has a different registry key to change. Since this function only supports 1 item at a time I can check which option and set the regkey individually.\r\n            Write-Host \"Disabling $Tool...\"\r\n            switch ($Tool) {\r\n                \"Cmd\" { Set-HKProperty -Path $keySoftwarePoliciesMicrosoftWindowsSystem -Name DisableCMD -Value 1 }\r\n                \"ControlPanel\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoControlPanel -Value 1 }\r\n                \"theControlPanel\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoControlPanel -Value 1 }\r\n                \"MMC\" { Set-HKProperty -Path $keySoftwarePoliciesMicrosoftMMC -Name RestrictToPermittedSnapins -Value 1 }\r\n                \"RegistryEditor\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableRegistryTools -Value 1 }\r\n                \"theRegistryEditor\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableRegistryTools -Value 1 }\r\n                \"Run\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoRun -Value 1 }\r\n                \"TaskMgr\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableTaskMgr -Value 1 }\r\n                \"taskManager\" { Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableTaskMgr -Value 1 }\r\n                \"All\" {\r\n                    Set-HKProperty -Path $keySoftwarePoliciesMicrosoftWindowsSystem -Name DisableCMD -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name NoDispCPL -Value 1\r\n                    Set-HKProperty -Path $keySoftwarePoliciesMicrosoftMMC -Name RestrictToPermittedSnapins -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableRegistryTools -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer -Name NoRun -Value 1\r\n                    Set-HKProperty -Path $keySoftwareMicrosoftWindowsCurrentVersionPoliciesSystem -Name DisableTaskMgr -Value 1\r\n                }\r\n            }\r\n        }\r\n    }\r\n}\r\nprocess {\r\n\r\n    # Get each user profile SID and Path to the profile. If there are any exclusions we'll have to take them into account.\r\n    if ($ExcludedUsers) {\r\n        $ToBeExcluded = New-Object System.Collections.Generic.List[string]\r\n        $ExcludedUsers.split(\",\").trim() | ForEach-Object { if ($_) { $ToBeExcluded.Add($_) } }\r\n        Write-Warning \"The Following Users will not have your selected tools disabled. $ToBeExcluded\"\r\n        $UserProfiles = Get-UserHives -IncludeDefault -ExcludedUsers $ToBeExcluded\r\n    }\r\n    else {\r\n        $UserProfiles = Get-UserHives -IncludeDefault\r\n    }\r\n\r\n    # Loop through each profile on the machine\r\n    Foreach ($UserProfile in $UserProfiles) {\r\n        # Load each user's registry hive if not already loaded. Backticked \"UserProfile.UserHive\" so that it accounts for spaces in the username.\r\n        If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS$($UserProfile.SID)) -eq $false) {\r\n            Start-Process -FilePath \"cmd.exe\" -ArgumentList \"\/C reg.exe LOAD HKU$($UserProfile.SID) `\"$($UserProfile.UserHive)`\"\" -Wait -WindowStyle Hidden\r\n        }\r\n        # The path is different for each individual user. This is the base path.\r\n        $key = \"Registry::HKEY_USERS$($UserProfile.SID)\"\r\n\r\n        # List of checkbox items\r\n        $CheckboxItems = \"cmd\", \"theControlPanel\", \"mmc\", \"theRegistryEditor\", \"run\", \"taskManager\"\r\n        # Checkboxes come in as environmental variables. This'll grab the ones that were selected (if any)\r\n        $EnvItems = Get-ChildItem env:* | Where-Object { $CheckboxItems -contains $_.Name -and $_.Value -notlike \"false\" }\r\n\r\n        # This will grab the tool selections from the parameter field. Since it comes in as a string we'll have to split it up.\r\n        $Tool = $Tools.split(\",\").trim()\r\n\r\n        # If the checkbox for all was selected I can just run the function once instead of running it repeatedly for the same thing.\r\n        if ($env:allTools -and $env:allTools -notlike \"false\") {\r\n            Set-Tool -Tool \"All\" -Key $key\r\n        }\r\n        elseif ($EnvItems) {\r\n            # If checkboxes were used we should just use those.\r\n            $EnvItems | ForEach-Object { Set-Tool -Tool $_.Name -Key $key }\r\n        }\r\n        else {\r\n            $Tool | ForEach-Object { Set-Tool -Tool $_ -Key $key }\r\n        }\r\n\r\n        # Unload NTuser.dat for user's we loaded previously.\r\n        If ($ProfileWasLoaded -eq $false) {\r\n            [gc]::Collect()\r\n            Start-Sleep -Seconds 1\r\n            Start-Process -FilePath \"cmd.exe\" -ArgumentList \"\/C reg.exe UNLOAD HKU$($UserProfile.SID)\" -Wait -WindowStyle Hidden | Out-Null\r\n        }\r\n    }\r\n    \r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
 <\/p>\n\n
Accedi a oltre 700 script nel Dojo di NinjaOne Ottieni l’accesso<\/a><\/p>\n<\/div>\n
Come funziona lo script<\/h2>\n
Lo script per disabilitare gli strumenti di amministrazione locale di cui parliamo \u00e8 scritto in PowerShell ed \u00e8 progettato per disabilitare strumenti amministrativi specifici su macchine locali. \u00c8 stato ottimizzato per funzionare con PowerShell 5.1 e presenta varie opzioni selezionabili come Prompt dei comandi, Pannello di controllo, Microsoft Management Console (MMC), Editor del registro, Finestra dei comandi di esecuzione e Task Manager. \u00c8 possibile disabilitare tutti gli strumenti di amministrazione locale o scegliere da un elenco separato da virgole di disabilitarne soltanto alcuni.<\/span>\u00a0<\/span><\/p>\n
Inoltre, lo script consente di escludere determinati profili utente da questa azione. Se hai bisogno che alcuni utenti mantengano le loro capacit\u00e0 di utilizzare gli strumenti di amministrazione locale, potrai fare in modo che questo avvenga facilmente.<\/span>\u00a0<\/span><\/p>\n
Questo script PowerShell esegue tre importanti convalide:<\/span>\u00a0<\/span><\/p>\n
    \n
  1. Controlla se lo script viene eseguito con privilegi amministrativi.<\/span>\u00a0<\/span><\/li>\n
  2. Carica le chiavi di registro per ogni profilo utente, fatta eccezione per quelle esplicitamente escluse.<\/span>\u00a0<\/span><\/li>\n
  3. Modifica o imposta le chiavi di registro per disabilitare gli strumenti di amministrazione locale selezionati.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n
    Non si tratta solo di disabilitazione, ma di controllo e specificit\u00e0, il che rende questo script molto versatile per gli amministratori IT e gli MSP.<\/span>\u00a0<\/span><\/p>\n
    Perch\u00e9 i professionisti IT e gli MSP dovrebbero interessarsene<\/span><\/span><\/h2>\n
    Controllo centralizzato<\/span>\u00a0<\/span><\/h3>\n
    Utilizzando questo script PowerShell per disabilitare gli strumenti di amministrazione locale, i professionisti IT possono disabilitare gli strumenti di amministrazione locale in modo centralizzato, riducendo in modo significativo il tempo necessario per eseguire questa operazione manualmente per ogni utente.<\/span>\u00a0<\/span><\/p>\n
    Sicurezza<\/span>\u00a0<\/span><\/h3>\n
    Disabilitare gli strumenti di amministrazione locale aumenta la sicurezza limitando la possibilit\u00e0 per gli utenti di apportare modifiche a livello di sistema. Questo \u00e8 particolarmente utile negli ambienti in cui si desidera ridurre al minimo i potenziali rischi per la sicurezza che arrivano dall\u2019interno.<\/span>\u00a0<\/span><\/p>\n
    Versatilit\u00e0<\/span>\u00a0<\/span><\/h3>\n
    La capacit\u00e0 dello script di disabilitare gli strumenti di amministrazione locale in modo selettivo e di escludere utenti specifici gli conferisce una flessibilit\u00e0 perfetta per diversi ambienti IT. Non si tratta di una soluzione valida per tutti, ma di una soluzione che pu\u00f2 essere personalizzata secondo le necessit\u00e0.<\/span>\u00a0<\/span><\/p>\n
    Automazione e scalabilit\u00e0<\/span>\u00a0<\/span><\/h3>\n
    Per gli MSP, lo script pu\u00f2 essere integrato nei processi di distribuzione automatizzati e pu\u00f2 essere reso cos\u00ec scalabile per reti di grandi dimensioni. Immagina la comodit\u00e0 di poterlo distribuire su migliaia di macchine con pochi clic.<\/span>\u00a0<\/span><\/p>\n
    Come distribuirlo<\/h2>\n
    \u00c8 sufficiente scaricare lo script Disable-LocalAdminTools.ps1 ed eseguirlo tramite PowerShell sui computer di destinazione. Lo script supporta diverse opzioni da riga di comando per regolare con precisione quello che desideri disabilitare.<\/span>\u00a0<\/span><\/p>\n
    PS C:> .Disable-LocalAdminTools.ps1 -Tools “MMC,Cmd,TaskMgr,RegistryEditor”<\/span><\/i><\/p>\n
    Considerazioni finali<\/h2>\n
    Che tu sia un professionista IT alla ricerca di una soluzione per disabilitare gli strumenti di amministrazione locale o un MSP alla ricerca di uno script, facilmente implementabile, per disabilitare gli strumenti di amministrazione locale, questo script PowerShell ti offre una soluzione solida, flessibile ed efficiente. Una soluzione che trasforma la complessit\u00e0 in semplicit\u00e0, offrendo un maggiore controllo sulle impostazioni di sicurezza della rete.<\/span>\u00a0<\/span><\/p>\n
    Rimani all’avanguardia utilizzando questo approccio efficiente e mirato all’accesso amministrativo. Buon scripting!<\/span>\u00a0<\/span><\/p>\n","protected":false},"author":35,"featured_media":206852,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"no","_lmt_disable":""},"operating_system":[4212],"use_cases":[4277],"class_list":["post-208101","script_hub","type-script_hub","status-publish","has-post-thumbnail","hentry","script_hub_category-windows"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/script_hub\/208101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/comments?post=208101"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/media\/206852"}],"wp:attachment":[{"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/media?parent=208101"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/operating_system?post=208101"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaonesandbox.dev\/it\/wp-json\/wp\/v2\/use_cases?post=208101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}