-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSet-LocalPasswordPolicy.ps1
More file actions
106 lines (84 loc) · 3.95 KB
/
Set-LocalPasswordPolicy.ps1
File metadata and controls
106 lines (84 loc) · 3.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
Function Set-LocalPasswordPolicy {
<#
.DESCRIPTION
Sets the local password policy
.SYNOPSIS
Sets the local password policy
.PARAMETER PasswordComplexity
Specifies whether passwords must meet complexity requirements.
.PARAMETER MinimumPasswordLength
Specifies the minimum number of characters that passwords must contain.
.PARAMETER MinimumPasswordAge
Specifies the minimum number of days that passwords must be used before they can be changed.
.PARAMETER MaximumPasswordAge
Specifies the maximum number of days that passwords can be used before they must be changed.
.PARAMETER PasswordHistorySize
Specifies the number of new passwords that have to be associated with a user account before an old password can be reused.
.PARAMETER LockoutBadCount
Specifies the number of failed logon attempts that causes a user account to be locked out.
.PARAMETER ResetLockoutCount
Specifies the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
.PARAMETER LockoutDuration
Specifies the number of minutes a user account is locked out after the number of failed logon attempts specified by the LockoutBadCount parameter is exceeded.
.EXAMPLE
Set-LocalPasswordPolicy -PasswordComplexity $true -MinimumPasswordLength 8 -MinimumPasswordAge 1 -MaximumPasswordAge 90 -PasswordHistorySize 24 -LockoutBadCount 5 -ResetLockoutCount 15 -LockoutDuration 15
.NOTES
Author: Gabe Delaney
Date: 05/23/2023
Version: 1.0
Name: Set-LocalPasswordPolicy
Version History:
1.0 - Initial release - 05/23/2023 - Gabe Delaney
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param (
[Parameter(Mandatory=$true)]
[boolean]$PasswordComplexity,
[Parameter(Mandatory=$false)]
[int]$MinimumPasswordLength,
[Parameter(Mandatory=$false)]
[int]$MinimumPasswordAge,
[Parameter(Mandatory=$false)]
[int]$MaximumPasswordAge,
[Parameter(Mandatory=$false)]
[int]$PasswordHistorySize,
[Parameter(Mandatory=$false)]
[int]$LockoutBadCount,
[Parameter(Mandatory=$false)]
[int]$ResetLockoutCount,
[Parameter(Mandatory=$false)]
[int]$LockoutDuration
)
Begin {
# Check if the current user is elevated as admin
$principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$is_admin = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
If (!$is_admin) {
Write-Error "You must run this function as an administrator."
Break
}
# Export the current local security policy to a file
$outfile = "$Env:TEMP\secpol.cfg"
secedit /export /cfg $outfile | Out-Null
# Read the current local security policy file
$sec_pol_cfg = Get-Content $outfile
} Process {
# If parameters are specified, update the local security policy file
If ($PSCmdlet.ShouldProcess("$Env:COMPUTERNAME")) {
Foreach ($key in $PSBoundParameters.Keys) {
If (@([System.Management.Automation.Cmdlet]::CommonParameters,"Confirm") -contains $key) {
Continue
}
[int]$value = $PSBoundParameters[$key]
$sec_pol_cfg = $sec_pol_cfg -replace ("$key = \d+", "$key = $value")
}
# Write the updated local security policy file
$sec_pol_cfg | Out-File $outfile -Force
secedit /configure /db c:\windows\security\local.sdb /cfg $outfile /areas SECURITYPOLICY | Out-Null
# Remove the local security policy file
Remove-Item $outfile -Force | Out-Null
}
} End {
Return
}
}