Modify local security policy

Hello,

I am working with Windows servers (2008/2012/2016) that are standalone servers not part of a domain.

I would like to change the local security policies via the command line.

I am only interested in changing the items below which includes the new values:

MinimumPasswordAge = 2
MaximumPasswordAge = 45
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 3

I thought the best way to go would be with secedit.exe but I cannot seems to get the right command.

There are two ways I see on how to do this:

1.export the local security policy, modify the resulting text file and import with the changes
OR
2. import just the changes

Naturally I would prefer option 2, but I cannot get either option to work.

Can anyone help?

I could use concrete examples.

One command i came across was to input as follows for input:

secedit /configure /db c:\temp.sdb / cfg c:\my-changed-policy-file.inf

I do not understand the above command. How can I select any location for the sdb? The system also says it cannot find "my-changed-policy-file.inf" even though the file exists.

any assistance would be greatly appreciated.

Thanks.

(Please do not quote places on the internet that explain how to do this - I have reviewed a lot of material and find it difficult to work with)

Any advice would be appreciated.

Thanks,

Mark
LVL 1
mbudmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
Are you going to do this via a remote connection for connected to the server? Have you considered GPEDIT,MSC?
Open GPEDIT.MSC and do as if you were doing in GPMC.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
0
mbudmanAuthor Commented:
GPEDIT is for servers that are part of the domain and for managing group policy.

As I mentioned in my post, this is for local security policy for servers that are not part of the local domain. The batch file is to be run directly on the server concerned.

also I am not interested in the GUI. This has to be done via command line
0
McKnifeCommented:
Hi mbudman. https://www.experts-exchange.com/questions/29068316/Script-to-set-local-security-policies.html was the same question from you. Don't start it again, please continue over there - thank you.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

yo_beeDirector of Information TechnologyCommented:
GPEDIT is not for domain wide management.  GPEDIT is for local settings only.  GPMC is the domain wide management.

https://social.technet.microsoft.com/Forums/office/en-US/d45c5291-b3dc-45ff-a931-36c5fdcf8df5/server-2008-dc-gpeditmsc-vs-group-policy-management-console?forum=winserverGP
0
mbudmanAuthor Commented:
Maybe, but I specifically asked for command line procedure on how to accomplish my goals.
0
yo_beeDirector of Information TechnologyCommented:
Ok.

It looks like you might have learned something new.
For a one off why reinvent the wheel.

Also as Mac stated you already asked this question. Why ask the question.
1
McKnifeCommented:
"Maybe, but I specifically asked for command line procedure on how to accomplish my goals. " - right. You have been given two command line options.
1 LGPO.exe /b "foldername" to export the config of a configured machine and on the target machines, run LGPO.exe /g "foldername"
2 secedit /export /cfg c:\temp\secpol.cfg - then edit c:\temp\secpol.cfg using notepad and import it on the target machines with secedit /import /cfg c:\temp\secpol.cfg

Please let me know what you don't understand about these options and what makes you think that these are not command line options.
0
mbudmanAuthor Commented:
Sorry, I made an error by posting the same thing twice.


I am able to export the local security policy.

My lack of understanding relates to the following:

Can I just import the linee changes i make (e.g. only 5 lines of text) or do I have to import the entire file I exported?

Do I have to use the /db  option?

Thanks
0
McKnifeCommented:
Please use
secedit /export /cfg c:\temp\secpol.cfg - then edit c:\temp\secpol.cfg using notepad and import it again using
Secedit /configure /db hisecws.sdb /cfg c:\temp\secpol.cfg
This led to the desired result on my test machine. Please note that the corresponding logfile %windir%\security\logs\scesrv.log shows many changes did apply while actually I don't find anything is changed but the change that I configured with notepad (that was: change line 4: MinimumPasswordAge = 2 (which was = 0)).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mbudmanAuthor Commented:
What I do not understand is the /db <<name>>

It appears  <<name>> value can be anything.

I do not u understand what purpose tho servers and how it works with import
0
McKnifeCommented:
You can use the above example, it works and does what you want and you have a logfile and you can verify what has been imported. It's been a while since I was digging into that topic myself, I cannot offer much more, you will need to do some reading yourself if you are not satisfied with the result.
0
mbudmanAuthor Commented:
Stupid spell check. I meant to write:

What I do not understand is the /db <<name>>

It appears  <<name>> value can be anything.

I do not understand what purpose this /db <<name>> serves and how it works with import.

Every example I see / read about shows a different <<name>> value
0
McKnifeCommented:
The name is not of importance for the result.
For further info, I suggest reading https://msdn.microsoft.com/en-us/library/bb742512.aspx and the translation of https://www.gruppenrichtlinien.de/artikel/seceditexe-in-der-cmd/
0
mbudmanAuthor Commented:
Thank you for your assistance
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.