Powershell & Local Security Policy Help

Hi, Im new to powershell so please be nice :slight_smile:

I was just wondering if there is a way to configure the Local Security Policy - Password/Lockout Policy settings via Powershell

 

IE: Set the following policies

Enforce Password History - Example: 90 Days
Maximum Password Age - Example: 60 Days
Minimum Password Age - Example: 1 Day
Minimum Password Lenght - Example: 12 Characters
Passwords must meet Complexity Requirements - Example: Enabled
Store Passwords using reversible Encryption - Example: Enabled

Account Lockout Duration - Example: 30 mins
Account Lockout threshold - Example: 3 attempts
reset account lockout counter after - Example: 60 mins

 

Ive looked all over the web and cant find any solution to this, so was really hoping this is a posibility

 

Thanks
Dave :slight_smile:

 

I didn’t see any direct cmdlet for this, but you can get help with below module.

https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1

Some other related links…

https://stackoverflow.com/questions/23260656/modify-local-security-policy-using-powershell

And if you want to use DSC: https://github.com/PowerShell/SecurityPolicyDsc

I believe Local Security Policy is all registry and not in the .pol files.

Are you trying to change security policy for a single system, or for many systems on a domain?

If you’re working on a domain, you should be applying settings through group policies from the server. You may be able to use PowerShell to manage group policy, depending on your server version.

If you’re trying to change a single system that is connected to a domain, any changes you make will be overwritten by the group policy.

If you’re trying to make changes to a standalone system, you can edit the registry from PowerShell via the .Net RegistryKey class (that blog talks about doing it remotely, but you can do the same thing for the local registry). The registry keys mentioned here are a good place to start for the settings you want to change.

However, editing the registry is a quick way to make your computer unusable if you don’t know what you’re doing with it. If you are also new to registry editing, you should spend some time learning how to work on it using the built-in GUI tool (regedit) first, and also reading about how it works, before attempting to make changes to it with PowerShell. This will break your OS if you’re careless.

Along with what the others point you to.

Note that the MS LGPO.exe is still available and use for this use case.

https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0

https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword

 

See also:

How to manage Local Group Policy with Powershell
http://brandonpadgett.com/powershell/Local-gpo-powershell

PowerShell/LGPO.ps1
https://github.com/MicksITBlogs/PowerShell/blob/master/LGPO.ps1

 

 

 

You can use secedit.exe to export/import the settings as well.
It’s a bit fiddly so you probably want a VM with snapshots to try/error what works.
Have done it in the past but don’t have the code accessible right now.

As stated earlier however, this will only work in a non-domain joined machine since the GPO’s will override the settings.
Usually after 15min.