Remove From My Forums

Issues retrieving settings from .cfg file

Question
0

Sign in to vote
So I am trying to check where the settings in localsecpol.cfg matched with the required settings, but it doesn't seem to work in which if I change the all the value in localsecpol.cfg to be 60 (or similar numbers), it will still comes out as desired.

Inside localsecpol.cfg (so if I change the value in here, it would still be desired)

PasswordHistory = 24

MaximumPasswordAge = 60

MinimumPasswordAge = 1

MinimumPasswordLength = 14

LockoutDuration = 15

LockoutBadCount = 60

This is my code.

secedit /export /cfg C:\localSecPol.cfg

$text = Get-Content C:\localSecPol.cfg
$pattern = @("PasswordHistorySize", "MaximumPasswordAge =", "MinimumPasswordAge", "MinimumPasswordLength", "LockoutDuration", "LockoutBadCount")
foreach ($element in $pattern) {
$securitySetting = $text | Select-String -Pattern $element
$desired = "$securitySetting is set to a desired setting"
$notDesired = "$securitySetting is not set to a desired setting"
if($securitySetting -match "24"){
Write-Host $desired
$score ++
}elseif($securitySetting -match "60"){
Write-Host $desired
$score ++
}elseif($securitySetting -match "1"){
Write-Host $desired
$score ++
}elseif($securitySetting -match "14"){
Write-Host $desired
$score ++
}elseif($securitySetting -match "15"){
Write-Host $desired
$score ++
}elseif($securitySetting -match "10"){
Write-Host $desired
$score ++
}else{
Write-Host $notDesired
}
}
- Edited by BobbyTan Monday, July 24, 2017 6:54 PM
Monday, July 24, 2017 6:29 PM

Answers

We can also do it this way:

$lines = Get-Content localSecPol.cfg
foreach($line in $lines) {
	switch -regex ($line) {
		'PasswordHistory = (\d+)' 		{$matches[1]}
		'MaximumPasswordAge = (\d+)' 	{$matches[1]}
	}
}

\_(ツ)_/

Edited by jrv Monday, July 24, 2017 7:28 PM
Marked as answer by BobbyTan Tuesday, July 25, 2017 4:14 PM

Monday, July 24, 2017 7:27 PM

All replies

0

Sign in to vote

What is the question? Why do you think you can change that file?
\_(ツ)_/

Monday, July 24, 2017 6:31 PM
0

Sign in to vote

Not to change the file but to do like an audit check to see whether the value in the file -matches with the value stated in the script. But it seems that if I we're to change the value in the file (to simulate other systems that might have different values), it still output as desired.

Monday, July 24, 2017 6:38 PM
0

Sign in to vote

Security templates are XML files. Where did you get this file?

\_(ツ)_/

Monday, July 24, 2017 6:39 PM
0

Sign in to vote

Extracted the local policy group settings as object and exported it into .txt to do a security auditing and hardening script.

Monday, July 24, 2017 6:45 PM
0

Sign in to vote

How are you extracting the gp settings?

\_(ツ)_/

Monday, July 24, 2017 6:48 PM
0

Sign in to vote
secedit /export /cfg C:\localSecPol.cfg

Missed it out in the original post. Just updated it.
- Edited by BobbyTan Monday, July 24, 2017 6:55 PM
Monday, July 24, 2017 6:51 PM

Ok. You will have to write a RegEx or just case the matches and test the current line.

Example:

$lines = Get-Content localSecPol.cfg
foreach($line in $lines) {
	switch -regex ($line) {
		'PasswordHistory' 		{ ($line -split ' = ')[1] }
		'MaximumPasswordAge ' 	{ ($line -split ' = ')[1] }
	}
}

\_(ツ)_/

Monday, July 24, 2017 7:24 PM

We can also do it this way:

$lines = Get-Content localSecPol.cfg
foreach($line in $lines) {
	switch -regex ($line) {
		'PasswordHistory = (\d+)' 		{$matches[1]}
		'MaximumPasswordAge = (\d+)' 	{$matches[1]}
	}
}

\_(ツ)_/

Edited by jrv Monday, July 24, 2017 7:28 PM
Marked as answer by BobbyTan Tuesday, July 25, 2017 4:14 PM

Monday, July 24, 2017 7:27 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Issues retrieving settings from .cfg file

Question

Answers

All replies