Avatar of mbudman
mbudman
Flag for Canada asked on

Script to set local security policies

Hello,

I have a group of servers (Windows 2008 / 2012 / 2016) that are not connected to a domain.

I would like to use a command line script (powershell / ) that would allow me to change only the following values :

Security settings->Account Policies->Password Policy
      Enforce password history :  3 passwords remembered
      Maximum password age  :  45 days
      Minimum password  age  :  1 day
      Maximum password length:  8 characters
      Password must meet complexity requirements :   Enabled  
      Store a password using reversible encryption  :  Disabled

I only want to change (via a script) the 6 values listed above and not change any other security settings.

How can this be accomplished?
Windows OSWindows Server 2008Security

Avatar of undefined
Last Comment
mbudman

8/22/2022 - Mon
CES

You can't do this using PowerShell.  However, you could probably track down the associated registry keys and export them to a .reg file that you can import to the other machines.
McKnife

You can quickly google a solution that involves using secedit /export /cfg c:\temp\secpol.cfg, searching and replacing things inside secpol.cfg and importing that again.

It can not be done using powershell cmdlets but of course, the batch code will work inside powershell as well.
It cannot be done using the registry.
mbudman

ASKER
I have looked at secdeit, but it exports more settings than I want to change. As I am only interested in modifying password section of the security policy, how can I import a new policy without overwriting existing values that I do not want to change?

I am trying to create a generic script (from command line for instance) that can be applied to new servers as they are spun up or existing servers that need to be hardened.
Your help has saved me hundreds of hours of internet surfing.
fblack61
mbudman

ASKER
I am only interested in modifying the following:

[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 45
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 3

If I import just the values above, what would happen to existing values of other configuration settings? Would they be wiped out?
ASKER CERTIFIED SOLUTION
McKnife

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
aravind anche

I use a simple one for this.
I change the policies on one server
and down load LGPO.exe tool from microsoft
then on the machine where you did changes
run LGPO.exe /b "location"
It will save a folder there
rename that folder Something meaningful
and then run other server copy the folder and LGPO tool and run
LGPO.exe /g "foldername"
McKnife

That is similar :-) Doesn't matter if we use a config GUI to change values or commands - we will have to export and import something, powershell commands for that are non-existant.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
McKnife

You need to continue here or over there. The solution is already there, so time to close.
mbudman

ASKER
Thank you for your assistance