Worklet: Change Local GPO + Security Options

Disclaimer: This uses a 3rd party Powershell addon called “PolicyFileEditor”. The addon is trusted and has around 29M downloads. Another addon named “NuGet” is installed as PolicyFileEditor doesnt seem to work without it. More detail on the addon can be found here: https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1

Hello All!

Just made this worklet and thought I’d share incase anyone else finds it useful.

Use case: For remote employees that are off domain network and cannot have GPO’s applied to them and need to have password policies applied to their machines for compliance reasons.

The worklet is pretty straight forward and labeled. You can feel free to remove the “Write-Host” lines as they are just for reporting purposes.

Code:
#Set Execution policy to allow for 3rd party modules
Set-ExecutionPolicy Unrestricted -Force

#Instal NuGet which is needed for PolicyFileEditor
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

#Install PolicyFileEditor
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.1 -Force

#Designate the User's local group policy directory
$UserDir = "$env:windir\system32\GroupPolicy\User\Registry.pol"

#Enable the Screen Saver
$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaveActive'
$RegData = '1'
$RegType = 'String'

Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Write-Host "Setting 'Enable Screen Saver' has been enabled."

#Enable and set screen saver timeout
$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaveTimeOut'
$RegData = '900'
$RegType = 'String'

Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Write-Host "Setting 'Screen Saver Timeout' has been set to 15 minutes."

#Password protect the screen saver
$RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
$RegName = 'ScreenSaverIsSecure'
$RegData = '1'
$RegType = 'String'

Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
Write-Host "Setting 'Password protect the screen saver' is enabled."

#Set password age settings
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("MaximumPasswordAge =", "MaximumPasswordAge = 365")| Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
Write-Host "Setting 'Maximum Password Age' has been set to 365 days."

#Set password complexity settings
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordComplexity =", "PasswordComplexity = 1")| Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
Write-Host "Setting 'Password Complexity' has been enabled."

#Set password length settings
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("MinimumPasswordLength =", "MinimumPasswordLength = 8")| Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
Write-Host "Setting 'Minimum Password Length' has been set to 8."

#Set password history settings
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordHistorySize =", "PasswordHistorySize = 3")| Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
Write-Host "Setting 'PasswordHistorySize' has been set to 3."

Write-Host "All GPO settings were successfully applied."