[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Reset default Local Security Policy using bat file

Posted on 2011-10-07
14
Medium Priority
?
1,341 Views
Last Modified: 2012-05-12
I am trying to write a script that will reset the local security policy for a Windows 2008 R2 server back to default. If this can not be done, how can I set password policy by a bat file?

Thank you!
0
Comment
Question by:Phase2
  • 9
  • 5
14 Comments
 

Author Comment

by:Phase2
ID: 36929934
I want to be able to change the following with a script:

Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the domain
Account lockout duration
Account lockout threshold
Reset lockout counter after
0
 

Author Comment

by:Phase2
ID: 36930028
Or VBS script
0
 

Author Comment

by:Phase2
ID: 36930132
The server is not part of a domain. I specifically need a script
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:pritamdutt
ID: 36930169
Please visit http://support.microsoft.com/kb/313222

There it states that secedit /configure command can be used to import default policy, but is not stable for Windows 2008.

Hope this helps..

0
 

Author Comment

by:Phase2
ID: 36946411
Dont think this will work for 2008
0
 
LVL 9

Expert Comment

by:pritamdutt
ID: 36946645
Why don't you secpol.msc to edit Local Security Policy considering your machine is not on domain.
this file is found in %windir%\System32

0
 

Author Comment

by:Phase2
ID: 36946667
Need a script. Will not have access to the UI when the reset needs to occur
0
 
LVL 9

Accepted Solution

by:
pritamdutt earned 2000 total points
ID: 36946698
Ok in that case I would suggest you the following:

Run Local Security Policy Editor using secpol.msc
Make the necessary changes in Security Policy

Export the security policy by Right Clicking on Security Settings
Save the exported the .inf file

Then create a batch file to run the following command

ECHO y| SECEDIT.EXE /CONFIGURE /CFG myprog.inf /DB dummy.sdb /OVERWRITE /LOG myprog.log /QUIET

Open in new window


replace myprog.inf with your inf file name.

This command does not require UI access.

I hope this helps!
LocalSecurityPolicy.JPG
LocalSecurityPolicy-AccountLocko.JPG
0
 

Author Comment

by:Phase2
ID: 36947283
What about the dummy.sdb ?
0
 
LVL 9

Expert Comment

by:pritamdutt
ID: 36947347
Unfortunately its a mandatory parameter.. therefore u need not worry about it.. its there just to be there...
0
 

Author Closing Comment

by:Phase2
ID: 36947542
This works great! Thank you!
0
 

Author Comment

by:Phase2
ID: 36947617
Any way to combine these two in one bat file?

Bat file that writes the .inf file then runs the cmd?
0
 
LVL 9

Expert Comment

by:pritamdutt
ID: 36947626
Just a quick query!

As per my current understanding,
1. you currently have UI access to the machine.
2. You would require to run this in future, when you many not UI access to machine.

So, if you currently have UI access to machine, you could export today and run tomorrow.


0
 

Author Comment

by:Phase2
ID: 36947894
This script will run at startup so no UI access. With you help I made the script below and seems to work fine. Thanks for all your help
@ECHO OFF

ECHO Creating inf file
(
ECHO [Unicode]
ECHO Unicode=yes
ECHO [System Access]
ECHO MinimumPasswordAge = 1
ECHO MaximumPasswordAge = 42
ECHO MinimumPasswordLength = 7
ECHO PasswordComplexity = 1
ECHO PasswordHistorySize = 24
ECHO LockoutBadCount = 0
ECHO [Version]
ECHO signature="$CHICAGO$"
ECHO Revision=1
)>c:\localSecurityPolicyReset.inf

echo Reseting Local Security Policy from template
SECEDIT.EXE /CONFIGURE /CFG c:\localSecurityPolicyReset.inf /DB dummy.sdb /OVERWRITE /QUIET

ECHO Delete inf File
del c:\localSecurityPolicyReset.inf


ECHO Delete this bat file
DEL "%~f0"

Open in new window

0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question