Powershell & Local Security Policy Help

dgoodrid · June 18, 2019, 10:18am

Hi, Im new to powershell so please be nice

I was just wondering if there is a way to configure the Local Security Policy - Password/Lockout Policy settings via Powershell

IE: Set the following policies

Enforce Password History - Example: 90 Days
Maximum Password Age - Example: 60 Days
Minimum Password Age - Example: 1 Day
Minimum Password Lenght - Example: 12 Characters
Passwords must meet Complexity Requirements - Example: Enabled
Store Passwords using reversible Encryption - Example: Enabled

Account Lockout Duration - Example: 30 mins
Account Lockout threshold - Example: 3 attempts
reset account lockout counter after - Example: 60 mins

Ive looked all over the web and cant find any solution to this, so was really hoping this is a posibility

Thanks
Dave

kvprasoon · June 18, 2019, 10:21am

I didn’t see any direct cmdlet for this, but you can get help with below module.

Some other related links…

https://stackoverflow.com/questions/23260656/modify-local-security-policy-using-powershell

And if you want to use DSC: GitHub - dsccommunity/SecurityPolicyDsc: A wrapper around secedit.exe to configure local security policies

js2010 · June 18, 2019, 12:44pm

I believe Local Security Policy is all registry and not in the .pol files.

grokkit · June 18, 2019, 2:22pm

Are you trying to change security policy for a single system, or for many systems on a domain?

If you’re working on a domain, you should be applying settings through group policies from the server. You may be able to use PowerShell to manage group policy, depending on your server version.

If you’re trying to change a single system that is connected to a domain, any changes you make will be overwritten by the group policy.

If you’re trying to make changes to a standalone system, you can edit the registry from PowerShell via the .Net RegistryKey class (that blog talks about doing it remotely, but you can do the same thing for the local registry). The registry keys mentioned here are a good place to start for the settings you want to change.

However, editing the registry is a quick way to make your computer unusable if you don’t know what you’re doing with it. If you are also new to registry editing, you should spend some time learning how to work on it using the built-in GUI tool (regedit) first, and also reading about how it works, before attempting to make changes to it with PowerShell. This will break your OS if you’re careless.

postanote · June 18, 2019, 6:14pm

Along with what the others point you to.

Note that the MS LGPO.exe is still available and use for this use case.

MicksITBlogs/PowerShell/blob/master/LGPO.ps1

<#
.SYNOPSIS
   Apply Local Group Policy
.Author
   Mick Pletcher
.Date
   23 February 2015
.EXAMPLE
   powershell.exe -executionpolicy bypass -file LGPO.ps1
#>


Function Import-LGPO {

	Param([String]$LGPOName, [String]$LGPOLocation, [String]$GPOType)
	
	$Executable = $Global:RelativePath+"ImportRegPol.exe"
	If ($GPOType -eq "Machine") {
		$GPOType = "\DomainSysvol\GPO\Machine\registry.pol"
	} else {

This file has been truncated. show original

fredrik-kacsmarck · June 19, 2019, 3:49am

You can use secedit.exe to export/import the settings as well.
It’s a bit fiddly so you probably want a VM with snapshots to try/error what works.
Have done it in the past but don’t have the code accessible right now.

As stated earlier however, this will only work in a non-domain joined machine since the GPO’s will override the settings.
Usually after 15min.

Topic		Replies	Views
Assistance with changing local security policy PowerShell Help	5	176	November 20, 2020
Changing Local User Passwords PowerShell Help	1	124	October 14, 2020
changing local admin password issue PowerShell Help	3	183	January 10, 2020
Edit Net Accounts Info PowerShell Help	9	80	October 27, 2015
disable - local security policy PowerShell Help	6	156	April 13, 2015

Powershell & Local Security Policy Help

Related Topics