none
Scripting Configuration of Password Policy, Account Lockout Policy, Audit Policy, and User Rights RRS feed

  • Question

  • Hi,

    I'm really new to PowerShell and scripting in general but I'm trying to take my best shot at scripting a total security configuration of GPEdit. For most items like in the Security Options directory, each item has a directory that matches a registry path that can easily be scripted. However, the 4 paths listed in the title, passwords, account lockout, auditing, and user rights are not registry keys, and therefore can't be scripted using the same method.

    I have heard that there are other methods of scripting such policies like using SecEdit. The only problem is I'm not sure how to do that and I'd rather not spend a month learning PowerShell and SecEdit just for one script.

    Please help me figure out a solution.

    Sunday, November 4, 2018 6:47 PM

Answers

  • We never script that.  That is what Group Policy is for.  Some settings are in the protected security key of the system and cannot be changed with a script.

    User rights can only be set by directly modifying the security database and use SecEdit to apply the updates to the database.

    There is no need to do any of this since Group Policy is specifically designed and has the correct agents to make these modifications across an enterprose.


    \_(ツ)_/

    • Marked as answer by ethang7 Monday, November 5, 2018 6:11 PM
    Sunday, November 4, 2018 7:39 PM

All replies

  • We never script that.  That is what Group Policy is for.  Some settings are in the protected security key of the system and cannot be changed with a script.

    User rights can only be set by directly modifying the security database and use SecEdit to apply the updates to the database.

    There is no need to do any of this since Group Policy is specifically designed and has the correct agents to make these modifications across an enterprose.


    \_(ツ)_/

    • Marked as answer by ethang7 Monday, November 5, 2018 6:11 PM
    Sunday, November 4, 2018 7:39 PM
  • While it is true that it isn't often scripted, it's definitely possible because I know people personally that have done it.
    Monday, November 5, 2018 6:12 PM
  • While it is true that it isn't often scripted, it's definitely possible because I know people personally that have done it.

    Then you know about SecEdit and the security database.

    \_(ツ)_/

    Monday, November 5, 2018 9:27 PM
  • I've heard that there is a way. I'm asking how to use it... the whole point of this thread...
    Monday, November 5, 2018 9:43 PM
  • There are examples in the Gallery on how to use SecEdit.  It is not a scripting issue but is a method of using a system utility.

    You can also search for examples of using SecEdit.


    \_(ツ)_/


    • Edited by jrv Monday, November 5, 2018 9:47 PM
    Monday, November 5, 2018 9:46 PM
  • Why?

    -- Bill Stewart [Bill_Stewart]

    Monday, November 5, 2018 10:01 PM
    Moderator
  • I'm part of a competition which requires securing a computer in the shortest amount of time, and a taylorable script would be very helpful to use.
    Monday, November 5, 2018 10:59 PM
  • If yo are competing then it is up to you to design and write the script.  Asking us to do it is cheating.

    If there is enough money involved I will enter the contest and post the script.

    The fastest way to absolutely secure a computer is to turn it off ;)

    The second fastest way is to apply a Group Policy policy that sets all of the security.


    \_(ツ)_/

    Monday, November 5, 2018 11:10 PM