Powershell & Local Security Policy Help

Welcome Forums General PowerShell Q&A Powershell & Local Security Policy Help

This topic contains 5 replies, has 6 voices, and was last updated by

3 months ago.

  • Author
  • #161745

    Topics: 1
    Replies: 0
    Points: 12
    Rank: Member

    Hi,  Im new to powershell so please be nice 🙂

    I was just wondering if there is a way to configure the Local Security Policy – Password/Lockout Policy settings via Powershell


    IE: Set the following policies

    Enforce Password History – Example: 90 Days
    Maximum Password Age – Example:  60 Days
    Minimum Password Age – Example:  1 Day
    Minimum Password Lenght – Example:  12 Characters
    Passwords must meet Complexity Requirements – Example: Enabled
    Store Passwords using reversible Encryption – Example: Enabled

    Account Lockout Duration – Example: 30 mins
    Account Lockout threshold – Example: 3 attempts
    reset account lockout counter after – Example: 60 mins


    Ive looked all over the web and cant find any solution to this, so was really hoping this is a posibility


    Dave 🙂


  • #161757

    Senior Moderator
    Topics: 8
    Replies: 1041
    Points: 3,439
    Helping Hand
    Rank: Community Hero

    I didn't see any direct cmdlet for this, but you can get help with below module.


    Some other related links...


    And if you want to use DSC: https://github.com/PowerShell/SecurityPolicyDsc

  • #161780

    Topics: 25
    Replies: 678
    Points: 1,629
    Helping Hand
    Rank: Community Hero

    I believe Local Security Policy is all registry and not in the .pol files.

  • #161798

    Topics: 2
    Replies: 54
    Points: 278
    Helping Hand
    Rank: Contributor

    Are you trying to change security policy for a single system, or for many systems on a domain?

    If you're working on a domain, you should be applying settings through group policies from the server. You may be able to use PowerShell to manage group policy, depending on your server version.

    If you're trying to change a single system that is connected to a domain, any changes you make will be overwritten by the group policy.

    If you're trying to make changes to a standalone system, you can edit the registry from PowerShell via the .Net RegistryKey class (that blog talks about doing it remotely, but you can do the same thing for the local registry). The registry keys mentioned here are a good place to start for the settings you want to change.

    However, editing the registry is a quick way to make your computer unusable if you don't know what you're doing with it. If you are also new to registry editing, you should spend some time learning how to work on it using the built-in GUI tool (regedit) first, and also reading about how it works, before attempting to make changes to it with PowerShell. This will break your OS if you're careless.

  • #161844

    Topics: 2
    Replies: 999
    Points: 1,946
    Helping Hand
    Rank: Community Hero
  • #161924

    Topics: 12
    Replies: 232
    Points: 466
    Helping Hand
    Rank: Contributor

    You can use secedit.exe to export/import the settings as well.
    It's a bit fiddly so you probably want a VM with snapshots to try/error what works.
    Have done it in the past but don't have the code accessible right now.

    As stated earlier however, this will only work in a non-domain joined machine since the GPO's will override the settings.
    Usually after 15min.

The topic ‘Powershell & Local Security Policy Help’ is closed to new replies.