Assistance with changing local security policy

What is the best method for changing the local security policy on a PC via powershell

I need to update the membership for local policies>user rights assignment>access this computer from the network via powershell but I am having issues determining the best way to accomplish this.

I am fairly new to powershell so please forgive me if I am not familiar with more advance commands and scripting.

 

Thanks

I don’t think there is a native PowerShell way to do this. You can however use secedit in PowerShell. Someone may have written a secedit wrapper for PowerShell. You might want to check the PowerShell gallery.

[quote quote=272437]I don’t think there is a native PowerShell way to do this. You can however use secedit in PowerShell. Someone may have written a secedit wrapper for PowerShell. You might want to check the PowerShell gallery.

[/quote]

That’s what I had been seeing but wanted to make sure. I am not really following how to make the one simple change with secedit.

I found the ntrights.exe app from Server 2003 resource kit that will make the change fairly simply but not really sure about using the deprecated tool in my production environment.

Check out these resources

https://github.com/jborean93/PSPrivilege

https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0

https://powershell.org/forums/topic/powershell-local-security-policy-help/

https://github.com/MicksITBlogs/PowerShell/blob/master/LGPO.ps1

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

Secedit is probably one of the best ways to do this, otherwise you are stacking piles of extra “stuff” onto your project. Adding a mansion on top of your sailboat.

Useful example taken from StackOve… and this below example shows turning off password complexity. Will have to mess around to find what you wanna do

secedit /export /cfg c:\new.cfg
${c:new.cfg}=${c:new.cfg} | % {$_.Replace('PasswordComplexity=1', 'PasswordComplexity=0')}
secedit /configure /db $env:windir\security\new.sdb /cfg c:\new.cfg /areas SECURITYPOLICY
del c:\new.cfg

If you run into issues, consider adding sleep commands somewhere in there to allow time for export etc

[quote quote=272503]https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

Secedit is probably one of the best ways to do this, otherwise you are stacking piles of extra “stuff” onto your project. Adding a mansion on top of your sailboat.

Useful example taken from StackOve… and this below example shows turning off password complexity. Will have to mess around to find what you wanna do

PowerShell
<textarea class="urvanov-syntax-highlighter-plain print-no" style="tab-size: 4; font-size: 14px !important; line-height: 18px !important; z-index: 0; opacity: 0;" readonly="readonly" data-settings="dblclick">secedit /export /cfg c:\new.cfg ${c:new.cfg}=${c:new.cfg} | % {$_.Replace('PasswordComplexity=1', 'PasswordComplexity=0')} secedit /configure /db $env:windir\security\new.sdb /cfg c:\new.cfg /areas SECURITYPOLICY del c:\new.cfg</textarea>
1
2
3
4
secedit /export /cfg c:\new.cfg
${c:new.cfg}=${c:new.cfg} | % {$_.Replace('PasswordComplexity=1', 'PasswordComplexity=0')}
secedit /configure /db $env:windir\security\new.sdb /cfg c:\new.cfg /areas SECURITYPOLICY
del c:\new.cfg
If you run into issues, consider adding sleep commands somewhere in there to allow time for export etc

[/quote]

I see what I need to add to the new PCs from cfg file that is created from secedit /export /cfg c:\new.cfg from an existing one but not sure how to only export/import the one settings.

SeNetworkLogonRight = *S-1-1-0

Can the cfg file just be trimmed down to only make that one change or do all the perimeters need to be set for it to work?

The PCs we are editing are vendor PCs that are used by our office so I am attempting to just target the exact changes we need to make without potentially changing anything else unnecessarily.