Worklet: Set Windows Password Policy

  • 18 October 2019
  • 0 replies
  • 146 views

Userlevel 7

Sets password policy using SECEDIT. Note that this only works for Windows machines that aren’t in Active Directory.


Evaluation code:


#REQUIRES -Version 2.0

<#
.SYNOPSIS
This script tests to see if the remediation script has been run
.DESCRIPTION
After the remediation script is run there will be a registry key for the template.
This script checks to see if that registry key exists and what the value is.
If the key and value match the other script this test script returns a 0.
otherwise it returns a 1 and the remediation script needs to be ran.
.NOTES
File Name :Password-policy-Test.ps1
Author :Automox
Prerequisite :PowerShell V3 on Win10
#>
#Handle Exit Codes:
trap { $host.ui.WriteErrorLine($_.Exception); exit 90 }

function Policy_check() {
$Reg_Val=Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\' | select-object TemplateUsed -ExpandProperty TemplateUsed | out-string
if ($Reg_Val.Trim() -match "Automox_Policy.inf") {
return 0
}
else {
return 1
}
}

Policy_check

Remediation code:


#REQUIRES -Version 2.0

<#
.SYNOPSIS
This script allows an admin to edit security policy settings relating to Passwords.
.DESCRIPTION
Security policies can only be modified by creating a new policy and importing it into the
policy manager. The following code writes a new policy to the temp directory and imports
it into the manager using SECEDIT. The settings included are the most common settings
relating to password policy, however any additional settings can be specified.
This is an example script that has been tested to work on Win10 and Win7.
This script may not work on all systems. Modify to fit your needs
.NOTES
File Name :Password-Policy-Rem.ps1
Author :Automox
Prerequisite :PowerShell V3 on win10
#>
#Handle Exit Codes:
trap { $host.ui.WriteErrorLine($_.Exception); exit 90 }

function Policy_Change {
########Change the settings in this block############
$User_settings= @"
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 1
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 0
EnableGuestAccount = 0

[Version]
signature= "`$Chicago`$"
Revision=1
"@
#######################################################

Add-content c:\Windows\Inf\Automox_Policy.inf "$User_settings"
SECEDIT /configure /db secedit.sdb /cfg C:\Windows\Inf\Automox_Policy.inf
Remove-Item c:\Windows\Inf\Automox_Policy.inf
}

Policy_Change

0 replies

Be the first to reply!

Reply