?
Solved

Password Policy Automation

Posted on 2012-08-22
11
Medium Priority
?
401 Views
Last Modified: 2012-09-26
I need to deploy the following password policy to multiple non-domain users.  I would like to send an email to a group with one attachment that the user can click on to update the password policy, force them to change the password with the next log on, and (hopefully) launch a web page survey.

MinimumPasswordAge = 0
MaximumPasswordAge = 90
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 6
0
Comment
Question by:amergts
  • 7
  • 2
10 Comments
 
LVL 6

Expert Comment

by:Kyle Davies
ID: 38320736
Is this for XP users only or mix of XP and Win7?
0
 

Author Comment

by:amergts
ID: 38321045
Windows XP Pro only.
0
 
LVL 6

Expert Comment

by:Kyle Davies
ID: 38323527
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:amergts
ID: 38325503
That script appears to be for a Windows Server environment, these are stand-alone Windows XP Pro systems with local accounts.  I don't think that will work.  If it does I don't know anything about the progamming language to make it be useful.
0
 

Author Comment

by:amergts
ID: 38329213
I've managed to write the attached batch file which walks users through manually updating the policy with a template I've created.  I'd really prefer to use the "secedit" command, but cannot quite figure out how to write the command. I've studied Microsoft's KB article on the command, but I still can't get it quite right.
If you have any ideas it would help.
Thanks!
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 38421533
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 

Accepted Solution

by:
amergts earned 0 total points
ID: 38421513
Created the attached self-extracting zip file to apply the password policies and prompt the user to change their password.  The final line of the batch file sends users to a survey URL to prove they completed the steps.  This URL has been alterned from the original.
This may not be the neatest and tidiest way to complete this task, but it worked for my purposes.  I hope it can help someone else.
0
 

Author Comment

by:amergts
ID: 38421534
I apologize, I thought I had posted my solution already.  I have posted it now, so that it may help others with this same problem.
0
 

Author Comment

by:amergts
ID: 38421614
I'm not able to load two of the three files that were in my self-extracting file.  Below are the contents of each file, in case it helps others.

Here are the contents of the batch file:

@echo off
echo.
echo ****************************************************
echo You must update your password security requirements.
echo This will require action by you.
echo ****************************************************
echo.
echo !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
echo.
echo Please follow all instructions in this window.
echo.
echo !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
echo.
echo Please select "Yes" or "OK" on the next 2 prompts.
echo.

C:\temp\dontdisplaylastusername.reg

echo Updating security policy...

echo y| secedit.exe /configure /cfg C:\temp\policy.inf /db C:\Windows\Security\policy.sdb /overwrite /log myprog.log /quiet

pause
echo.
echo.
echo.
echo You must now change your password.
echo.
echo Passwords must meet the following minimum requirements:
echo.
echo Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
echo Be at least eight (8) characters in length
echo Not be one of the last six (6) passwords
echo Contain characters from three of the following four categories:
echo   1. English uppercase characters (A through Z)
echo   2. English lowercase characters (a through z)
echo   3. Numbers (0 through 9)
echo   4. Non-alphabetic characters (for example, !, $, #, %)
echo.
echo.
echo *** Please enter your new password ***
@echo off
set /p password=

net user %username% %password%
pause

echo.
echo If you saw anything other than
echo "The command completed successfully,"
echo Press CTRL+ALT+DEL
echo Select "Change Password..."
echo Reset the password.
echo.
echo If you need assistance please call 800.377.7379.
echo.
echo !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
echo DO NOT PROCEED UNTIL
ECHO YOUR PASSWORD HAS
echo SUCCESSFULLY CHANGED
echo !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
echo.
echo.
echo.
pause

start "" ""http://www.surveymonkey.com/"
Here are the contents of the password policy (policy.inf) file:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

[System Access]
;----------------------------------------------------------------
;Account Policies - Password Policy
;----------------------------------------------------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 90
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 6
Interactive logon: Do not display last user name      Enabled

[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,1
Here are the contents of the dontdisplaylastuername.reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
0
 

Author Closing Comment

by:amergts
ID: 38435864
Since no other solutions were available, I had to come up with my own.  I'm posting it in case it would help someone else.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question