Worklet: Set Windows Password Policy

  • 18 October 2019
  • 0 replies
  • 99 views

Userlevel 7

Sets password policy using SECEDIT. Note that this only works for Windows machines that aren’t in Active Directory.



Evaluation code:



#REQUIRES -Version 2.0



<#

.SYNOPSIS

This script tests to see if the remediation script has been run

.DESCRIPTION

After the remediation script is run there will be a registry key for the template.

This script checks to see if that registry key exists and what the value is.

If the key and value match the other script this test script returns a 0.

otherwise it returns a 1 and the remediation script needs to be ran.

.NOTES

File Name :Password-policy-Test.ps1

Author :Automox

Prerequisite :PowerShell V3 on Win10

#>

#Handle Exit Codes:

trap { $host.ui.WriteErrorLine($_.Exception); exit 90 }



function Policy_check() {

$Reg_Val=Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\' | select-object TemplateUsed -ExpandProperty TemplateUsed | out-string

if ($Reg_Val.Trim() -match "Automox_Policy.inf") {

return 0

}

else {

return 1

}

}



Policy_check



Remediation code:



#REQUIRES -Version 2.0



<#

.SYNOPSIS

This script allows an admin to edit security policy settings relating to Passwords.

.DESCRIPTION

Security policies can only be modified by creating a new policy and importing it into the

policy manager. The following code writes a new policy to the temp directory and imports

it into the manager using SECEDIT. The settings included are the most common settings

relating to password policy, however any additional settings can be specified.

This is an example script that has been tested to work on Win10 and Win7.

This script may not work on all systems. Modify to fit your needs

.NOTES

File Name :Password-Policy-Rem.ps1

Author :Automox

Prerequisite :PowerShell V3 on win10

#>

#Handle Exit Codes:

trap { $host.ui.WriteErrorLine($_.Exception); exit 90 }



function Policy_Change {

########Change the settings in this block############

$User_settings= @"

[System Access]

MinimumPasswordAge = 0

MaximumPasswordAge = 42

MinimumPasswordLength = 0

PasswordComplexity = 1

PasswordHistorySize = 0

LockoutBadCount = 0

RequireLogonToChangePassword = 0

ForceLogoffWhenHourExpire = 0

NewAdministratorName = "Administrator"

NewGuestName = "Guest"

ClearTextPassword = 0

LSAAnonymousNameLookup = 0

EnableAdminAccount = 0

EnableGuestAccount = 0



[Version]

signature= "`$Chicago`$"

Revision=1

"@

#######################################################



Add-content c:\Windows\Inf\Automox_Policy.inf "$User_settings"

SECEDIT /configure /db secedit.sdb /cfg C:\Windows\Inf\Automox_Policy.inf

Remove-Item c:\Windows\Inf\Automox_Policy.inf

}



Policy_Change


0 replies

Be the first to reply!

Reply