Menu
I have a few computers outside the network, not allowed to have the PS AD module installed.
All I want to do is use Powershell to report some of the account lockout settings, specifically the lockout threshold, lockout duration, and whether this machine is locked out or not.
All I have found during my searches is info using the Active directory PS module. Also, other references dealing with remoteAccess. Neither of which fit my need.
I have also looked for registry keys related to the 'local' lockout settings but have not found anything (E.g. only refs to remoteaccess maxDenial; not the local setting).
Other than firing up gpedit and viewing the local policy, I was hoping there would be a way to use Powershell to simply report the current local settings.
Anyway help/pointers/knowledge would be greatly appreciated.
732
The discovery of this info, from 'net accounts,' ultimately worked for me, and I was able to write a script that quickly displayed the Lockout policy info. Here is the output from 'net accounts':
PS C:\Users\Siduser> net accounts
Force user logoff how long after time expires?: 0
Minimum password age (days): 1
Maximum password age (days): 60
Minimum password length: 14
Length of password history maintained: 24
Lockout threshold: 3
Lockout duration (minutes): 15
Lockout observation window (minutes): 15
Computer role: WORKSTATION
The command completed successfully.
This code snippet was created to get the info into a variable:
$lockoutObj = net accounts | Select-string threshold
$lockoutStr = $lockoutObj.ToString()
$lockoutStr -match '\d{1,3}' | out-null
$lockoutStr -match 'Never' | out-null
$LO_threshold = $matches[0]
PS C:\Users\Siduser> echo $LO_threshold
3
If you need to set the lockout threshold use this command (elevated priv. needed):
PS C:\Users\Siduser> net accounts /lockoutthreshold:10
The command completed successfully
PS C:\Users\Siduser> net accounts
Force user logoff how long after time expires?: 0
Minimum password age (days): 1
Maximum password age (days): 60
Minimum password length: 14
Length of password history maintained: 24
Lockout threshold: 10
Lockout duration (minutes): 15
Lockout observation window (minutes): 15
Computer role: WORKSTATION
The command completed successfully.
Ah, restricted, then, you are in a proverbial catch22.
Yet, if they are not part of the domain, then that means you or someone had to make these settings manually as well. So, I am not sure how AD cmdlet would have ever come up since these are not domain-joined machines and settings are in the local policy.
So, secedit.exe is your tool for this effort or leverage the PolicyFileEditor module in the MS powershellgallery.com and or one of the others.
Find-Module -Name '*policy*' | Format-Table -AutoSize
Version Name Repository Description
------- ---- ---------- -----------
...
3.0.1 PolicyFileEditor PSGallery Commands and DSC resource for modifying Administrative Templates settings in local GPO registry...
2.10.0.0 SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights...
...
0.3 GPRegistryPolicy PSGallery Module with cmdlets to work with GP Registry Policy .pol files
0.2 GPRegistryPolicyParser PSGallery Module with parser cmdlets to work with GP Registry Policy .pol files
1.1.0 GPRegistryPolicyDsc PSGallery This resource module contains DSC resources used to apply and manage local group policies by mo...
...
1.0.1 GroupPolicyHelper PSGallery Functions that ease your daily Group Policy Work
1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources
...
1.0 ADPolicyAudit PSGallery Module to review infrastructure password policy
For Secedit.exe, there are several posts about such a use case and a quick web search using 'secedit lockout policy', would show you that. For example, you could end up with this sort of effort.
Clear-Host
$temp = "D:\temp"
$file = "$temp\pol.txt"
#[string] $readableNames
$outHash = @{}
$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas securitypolicy")
$process.WaitForExit()
$in = get-content $file
foreach ($line in $in)
{
if ($line -like "*password*" -or $line -like "*lockout*" -and $line -notlike "machine\*" -and $line -notlike "require*" )
{
$policy = $line.substring(0,$line.IndexOf("=") - 1)
switch ($policy){
"passwordhistorysize" {$policy = "Enforce Password Policy"}
"maximumpasswordage" {$policy = "Maximum Password Age"}
"minimumpasswordage" {$policy = "Minimum Password Age"}
"minimumpasswordlength" {$policy = "Minimum Password Length"}
"passwordcomplexity" {$policy = "Password must meet complexity requirements"}
"cleartextpassword" {$policy = "Store Passwords Using Reversible Encryption"}
"lockoutduration" {$policy = "Account Lockout Duration"}
"lockoutbadaccount" {$policy = "Account Lockout Threshold"}
"resetlockoutcount" {$policy = "Reset Account Lockout Counter After"}
}
$values = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
#$values = $values.Trim({}) -split ","
$outHash.Add($policy,$values) #output edited version
}
}
$outHash |
Format-Table -AutoSize
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
