Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Modify Local Security Policy using Powershell

I use Windows Server 2012.

I can do this:

In Administrative Tools folder, double click the Local Security Policy icon, expand Account Policies and click Password Policy.

In the right pane double click Password must meet complexity requirements and set it to Disabled. Click OK to save your policy change.

How can I do it programmatically using Powershell?

like image 843
Kiquenet Avatar asked Apr 24 '14 05:04

Kiquenet


People also ask

How do I change local security policy in PowerShell?

In Administrative Tools folder, double click the Local Security Policy icon, expand Account Policies and click Password Policy. In the right pane double click Password must meet complexity requirements and set it to Disabled. Click OK to save your policy change.

How do I change local security policy?

To open Local Security Policy, on the Start screen, type secpol. msc, and then press ENTER. Under Security Settings of the console tree, do one of the following: Click Account Policies to edit the Password Policy or Account Lockout Policy.

How do I edit Gpedit in PowerShell?

In PowerShell, type 'gpedit' and then 'Enter. ' If you would prefer, you can also use PowerShell to make changes to Local GPOs without the UI.


2 Answers

There is no pure powershell way of doing it as per @Kayasax's answer, you have to wrap secedit into Powershell.

secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
like image 183
Raf Avatar answered Oct 14 '22 06:10

Raf


I decided to write a couple functions to make this process easier.

Parse-SecPol : will turn Local Security Policy into a PsObject. You can view all the properties and make changed to the object.

Set-SecPol : will turn the Parse-SecPol object back into a config file and import it to into the Local Security Policy.

Here is a example of its usage :

Function Parse-SecPol($CfgFile){ 
    secedit /export /cfg "$CfgFile" | out-null
    $obj = New-Object psobject
    $index = 0
    $contents = Get-Content $CfgFile -raw
    [regex]::Matches($contents,"(?<=\[)(.*)(?=\])") | %{
        $title = $_
        [regex]::Matches($contents,"(?<=\]).*?((?=\[)|(\Z))", [System.Text.RegularExpressions.RegexOptions]::Singleline)[$index] | %{
            $section = new-object psobject
            $_.value -split "\r\n" | ?{$_.length -gt 0} | %{
                $value = [regex]::Match($_,"(?<=\=).*").value
                $name = [regex]::Match($_,".*(?=\=)").value
                $section | add-member -MemberType NoteProperty -Name $name.tostring().trim() -Value $value.tostring().trim() -ErrorAction SilentlyContinue | out-null
            }
            $obj | Add-Member -MemberType NoteProperty -Name $title -Value $section
        }
        $index += 1
    }
    return $obj
}

Function Set-SecPol($Object, $CfgFile){
   $SecPool.psobject.Properties.GetEnumerator() | %{
        "[$($_.Name)]"
        $_.Value | %{
            $_.psobject.Properties.GetEnumerator() | %{
                "$($_.Name)=$($_.Value)"
            }
        }
    } | out-file $CfgFile -ErrorAction Stop
    secedit /configure /db c:\windows\security\local.sdb /cfg "$CfgFile" /areas SECURITYPOLICY
}


$SecPool = Parse-SecPol -CfgFile C:\test\Test.cgf
$SecPool.'System Access'.PasswordComplexity = 1
$SecPool.'System Access'.MinimumPasswordLength = 8
$SecPool.'System Access'.MaximumPasswordAge = 60

Set-SecPol -Object $SecPool -CfgFile C:\Test\Test.cfg
like image 10
ArcSet Avatar answered Oct 14 '22 06:10

ArcSet