Skip to main content

Disclaimer: This uses a 3rd party Powershell addon called “PolicyFileEditor”. The addon is trusted and has around 29M downloads. Another addon named “NuGet” is installed as PolicyFileEditor doesnt seem to work without it. More detail on the addon can be found here: https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1



Hello All!



Just made this worklet and thought I’d share incase anyone else finds it useful.



Use case: For remote employees that are off domain network and cannot have GPO’s applied to them and need to have password policies applied to their machines for compliance reasons.



The worklet is pretty straight forward and labeled. You can feel free to remove the “Write-Host” lines as they are just for reporting purposes.



Code:


#Set Execution policy to allow for 3rd party modules


Set-ExecutionPolicy Unrestricted -Force



#Instal NuGet which is needed for PolicyFileEditor


Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force





#Install PolicyFileEditor


Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.1 -Force





#Designate the User's local group policy directory


$UserDir = "$env:windir\system32\GroupPolicy\User\Registry.pol"





#Enable the Screen Saver


$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'


$RegName = 'ScreenSaveActive'


$RegData = '1'


$RegType = 'String'





Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType


Write-Host "Setting 'Enable Screen Saver' has been enabled."





#Enable and set screen saver timeout


$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'


$RegName = 'ScreenSaveTimeOut'


$RegData = '900'


$RegType = 'String'





Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType


Write-Host "Setting 'Screen Saver Timeout' has been set to 15 minutes."





#Password protect the screen saver


$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'


$RegName = 'ScreenSaverIsSecure'


$RegData = '1'


$RegType = 'String'





Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType


Write-Host "Setting 'Password protect the screen saver' is enabled."





#Set password age settings


secedit /export /cfg c:\secpol.cfg


(gc C:\secpol.cfg).replace("MaximumPasswordAge =", "MaximumPasswordAge = 365")| Out-File C:\secpol.cfg


secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


rm -force c:\secpol.cfg -confirm:$false


Write-Host "Setting 'Maximum Password Age' has been set to 365 days."





#Set password complexity settings


secedit /export /cfg c:\secpol.cfg


(gc C:\secpol.cfg).replace("PasswordComplexity =", "PasswordComplexity = 1")| Out-File C:\secpol.cfg


secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


rm -force c:\secpol.cfg -confirm:$false


Write-Host "Setting 'Password Complexity' has been enabled."





#Set password length settings


secedit /export /cfg c:\secpol.cfg


(gc C:\secpol.cfg).replace("MinimumPasswordLength =", "MinimumPasswordLength = 8")| Out-File C:\secpol.cfg


secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


rm -force c:\secpol.cfg -confirm:$false


Write-Host "Setting 'Minimum Password Length' has been set to 8."





#Set password history settings


secedit /export /cfg c:\secpol.cfg


(gc C:\secpol.cfg).replace("PasswordHistorySize =", "PasswordHistorySize = 3")| Out-File C:\secpol.cfg


secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


rm -force c:\secpol.cfg -confirm:$false


Write-Host "Setting 'PasswordHistorySize' has been set to 3."





Write-Host "All GPO settings were successfully applied."
Be the first to reply!

Reply


Terms & ConditionsCookie settings