Reset default Local Security Policy using bat file

I am trying to write a script that will reset the local security policy for a Windows 2008 R2 server back to default. If this can not be done, how can I set password policy by a bat file?

Thank you!
Phase2Asked:
Who is Participating?
 
pritamduttCommented:
Ok in that case I would suggest you the following:

Run Local Security Policy Editor using secpol.msc
Make the necessary changes in Security Policy

Export the security policy by Right Clicking on Security Settings
Save the exported the .inf file

Then create a batch file to run the following command

ECHO y| SECEDIT.EXE /CONFIGURE /CFG myprog.inf /DB dummy.sdb /OVERWRITE /LOG myprog.log /QUIET

Open in new window


replace myprog.inf with your inf file name.

This command does not require UI access.

I hope this helps!
LocalSecurityPolicy.JPG
LocalSecurityPolicy-AccountLocko.JPG
0
 
Phase2Author Commented:
I want to be able to change the following with a script:

Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the domain
Account lockout duration
Account lockout threshold
Reset lockout counter after
0
 
Phase2Author Commented:
Or VBS script
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Phase2Author Commented:
The server is not part of a domain. I specifically need a script
0
 
pritamduttCommented:
Please visit http://support.microsoft.com/kb/313222

There it states that secedit /configure command can be used to import default policy, but is not stable for Windows 2008.

Hope this helps..

0
 
Phase2Author Commented:
Dont think this will work for 2008
0
 
pritamduttCommented:
Why don't you secpol.msc to edit Local Security Policy considering your machine is not on domain.
this file is found in %windir%\System32

0
 
Phase2Author Commented:
Need a script. Will not have access to the UI when the reset needs to occur
0
 
Phase2Author Commented:
What about the dummy.sdb ?
0
 
pritamduttCommented:
Unfortunately its a mandatory parameter.. therefore u need not worry about it.. its there just to be there...
0
 
Phase2Author Commented:
This works great! Thank you!
0
 
Phase2Author Commented:
Any way to combine these two in one bat file?

Bat file that writes the .inf file then runs the cmd?
0
 
pritamduttCommented:
Just a quick query!

As per my current understanding,
1. you currently have UI access to the machine.
2. You would require to run this in future, when you many not UI access to machine.

So, if you currently have UI access to machine, you could export today and run tomorrow.


0
 
Phase2Author Commented:
This script will run at startup so no UI access. With you help I made the script below and seems to work fine. Thanks for all your help
@ECHO OFF

ECHO Creating inf file
(
ECHO [Unicode]
ECHO Unicode=yes
ECHO [System Access]
ECHO MinimumPasswordAge = 1
ECHO MaximumPasswordAge = 42
ECHO MinimumPasswordLength = 7
ECHO PasswordComplexity = 1
ECHO PasswordHistorySize = 24
ECHO LockoutBadCount = 0
ECHO [Version]
ECHO signature="$CHICAGO$"
ECHO Revision=1
)>c:\localSecurityPolicyReset.inf

echo Reseting Local Security Policy from template
SECEDIT.EXE /CONFIGURE /CFG c:\localSecurityPolicyReset.inf /DB dummy.sdb /OVERWRITE /QUIET

ECHO Delete inf File
del c:\localSecurityPolicyReset.inf


ECHO Delete this bat file
DEL "%~f0"

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.