- This topic has 5 replies, 6 voices, and was last updated 1 year ago by
June 18, 2019 at 3:48 pm #161745ParticipantTopics: 1Replies: 0Points: 12Rank: Member
Hi, Im new to powershell so please be nice 🙂
I was just wondering if there is a way to configure the Local Security Policy – Password/Lockout Policy settings via Powershell
IE: Set the following policies
Enforce Password History – Example: 90 Days
Maximum Password Age – Example: 60 Days
Minimum Password Age – Example: 1 Day
Minimum Password Lenght – Example: 12 Characters
Passwords must meet Complexity Requirements – Example: Enabled
Store Passwords using reversible Encryption – Example: Enabled
Account Lockout Duration – Example: 30 mins
Account Lockout threshold – Example: 3 attempts
reset account lockout counter after – Example: 60 mins
Ive looked all over the web and cant find any solution to this, so was really hoping this is a posibility
June 18, 2019 at 3:51 pm #161757Senior ModeratorTopics: 9Replies: 1236Points: 4,443Rank: Community Hero
I didn’t see any direct cmdlet for this, but you can get help with below module.
Some other related links…
And if you want to use DSC: https://github.com/PowerShell/SecurityPolicyDsc
June 18, 2019 at 6:14 pm #161780ParticipantTopics: 30Replies: 828Points: 2,554Rank: Community Hero
I believe Local Security Policy is all registry and not in the .pol files.
June 18, 2019 at 7:52 pm #161798Senior ModeratorTopics: 3Replies: 123Points: 653Rank: Major Contributor
Are you trying to change security policy for a single system, or for many systems on a domain?
If you’re working on a domain, you should be applying settings through group policies from the server. You may be able to use PowerShell to manage group policy, depending on your server version.
If you’re trying to change a single system that is connected to a domain, any changes you make will be overwritten by the group policy.
If you’re trying to make changes to a standalone system, you can edit the registry from PowerShell via the .Net RegistryKey class (that blog talks about doing it remotely, but you can do the same thing for the local registry). The registry keys mentioned here are a good place to start for the settings you want to change.
However, editing the registry is a quick way to make your computer unusable if you don’t know what you’re doing with it. If you are also new to registry editing, you should spend some time learning how to work on it using the built-in GUI tool (regedit) first, and also reading about how it works, before attempting to make changes to it with PowerShell. This will break your OS if you’re careless.
June 18, 2019 at 11:44 pm #161844ParticipantTopics: 2Replies: 1013Points: 2,093Rank: Community Hero
Along with what the others point you to.
Note that the MS LGPO.exe is still available and use for this use case.
How to manage Local Group Policy with Powershell
June 19, 2019 at 9:19 am #161924ParticipantTopics: 12Replies: 232Points: 466Rank: Contributor
You can use secedit.exe to export/import the settings as well.
It’s a bit fiddly so you probably want a VM with snapshots to try/error what works.
Have done it in the past but don’t have the code accessible right now.
As stated earlier however, this will only work in a non-domain joined machine since the GPO’s will override the settings.
Usually after 15min.
- The topic ‘Powershell & Local Security Policy Help’ is closed to new replies.