Powershell & Local Security Policy Help

Welcome Forums General PowerShell Q&A Powershell & Local Security Policy Help

Viewing 5 reply threads
  • Author
    • #161745
      Topics: 1
      Replies: 0
      Points: 12
      Rank: Member

      Hi,  Im new to powershell so please be nice 🙂

      I was just wondering if there is a way to configure the Local Security Policy – Password/Lockout Policy settings via Powershell


      IE: Set the following policies

      Enforce Password History – Example: 90 Days
      Maximum Password Age – Example:  60 Days
      Minimum Password Age – Example:  1 Day
      Minimum Password Lenght – Example:  12 Characters
      Passwords must meet Complexity Requirements – Example: Enabled
      Store Passwords using reversible Encryption – Example: Enabled

      Account Lockout Duration – Example: 30 mins
      Account Lockout threshold – Example: 3 attempts
      reset account lockout counter after – Example: 60 mins


      Ive looked all over the web and cant find any solution to this, so was really hoping this is a posibility


      Dave 🙂


    • #161757
      Senior Moderator
      Topics: 9
      Replies: 1236
      Points: 4,443
      Helping Hand
      Rank: Community Hero

      I didn’t see any direct cmdlet for this, but you can get help with below module.


      Some other related links…


      And if you want to use DSC: https://github.com/PowerShell/SecurityPolicyDsc

    • #161780
      Topics: 30
      Replies: 828
      Points: 2,554
      Helping Hand
      Rank: Community Hero

      I believe Local Security Policy is all registry and not in the .pol files.

    • #161798
      Senior Moderator
      Topics: 3
      Replies: 123
      Points: 653
      Helping Hand
      Rank: Major Contributor

      Are you trying to change security policy for a single system, or for many systems on a domain?

      If you’re working on a domain, you should be applying settings through group policies from the server. You may be able to use PowerShell to manage group policy, depending on your server version.

      If you’re trying to change a single system that is connected to a domain, any changes you make will be overwritten by the group policy.

      If you’re trying to make changes to a standalone system, you can edit the registry from PowerShell via the .Net RegistryKey class (that blog talks about doing it remotely, but you can do the same thing for the local registry). The registry keys mentioned here are a good place to start for the settings you want to change.

      However, editing the registry is a quick way to make your computer unusable if you don’t know what you’re doing with it. If you are also new to registry editing, you should spend some time learning how to work on it using the built-in GUI tool (regedit) first, and also reading about how it works, before attempting to make changes to it with PowerShell. This will break your OS if you’re careless.

    • #161844
      Topics: 2
      Replies: 1013
      Points: 2,093
      Helping Hand
      Rank: Community Hero
    • #161924
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      You can use secedit.exe to export/import the settings as well.
      It’s a bit fiddly so you probably want a VM with snapshots to try/error what works.
      Have done it in the past but don’t have the code accessible right now.

      As stated earlier however, this will only work in a non-domain joined machine since the GPO’s will override the settings.
      Usually after 15min.

Viewing 5 reply threads
  • The topic ‘Powershell & Local Security Policy Help’ is closed to new replies.