Modify Local Security Policy using Powershell
I use Windows Server 2012.
I can do this:
In Administrative Tools folder, double click the Local Security Policy icon, expand Account Policies and click Password Policy.
In the right pane double click Password must meet complexity requirements and set it to Disabled. Click OK to save your policy change.
How can I do it programmatically using Powershell?
There is no pure powershell way of doing it as per @Kayasax's answer, you have to wrap secedit into Powershell.
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
I decided to write a couple functions to make this process easier.
Parse-SecPol
: will turn Local Security Policy into a PsObject. You can view all the properties and make changed to the object.
Set-SecPol
: will turn the Parse-SecPol
object back into a config file and import it to into the Local Security Policy.
Here is a example of its usage :
Function Parse-SecPol($CfgFile){
secedit /export /cfg "$CfgFile" | out-null
$obj = New-Object psobject
$index = 0
$contents = Get-Content $CfgFile -raw
[regex]::Matches($contents,"(?<=\[)(.*)(?=\])") | %{
$title = $_
[regex]::Matches($contents,"(?<=\]).*?((?=\[)|(\Z))", [System.Text.RegularExpressions.RegexOptions]::Singleline)[$index] | %{
$section = new-object psobject
$_.value -split "\r\n" | ?{$_.length -gt 0} | %{
$value = [regex]::Match($_,"(?<=\=).*").value
$name = [regex]::Match($_,".*(?=\=)").value
$section | add-member -MemberType NoteProperty -Name $name.tostring().trim() -Value $value.tostring().trim() -ErrorAction SilentlyContinue | out-null
}
$obj | Add-Member -MemberType NoteProperty -Name $title -Value $section
}
$index += 1
}
return $obj
}
Function Set-SecPol($Object, $CfgFile){
$SecPool.psobject.Properties.GetEnumerator() | %{
"[$($_.Name)]"
$_.Value | %{
$_.psobject.Properties.GetEnumerator() | %{
"$($_.Name)=$($_.Value)"
}
}
} | out-file $CfgFile -ErrorAction Stop
secedit /configure /db c:\windows\security\local.sdb /cfg "$CfgFile" /areas SECURITYPOLICY
}
$SecPool = Parse-SecPol -CfgFile C:\test\Test.cgf
$SecPool.'System Access'.PasswordComplexity = 1
$SecPool.'System Access'.MinimumPasswordLength = 8
$SecPool.'System Access'.MaximumPasswordAge = 60
Set-SecPol -Object $SecPool -CfgFile C:\Test\Test.cfg
I use Windows 7
I have solved it by using the following powershell script
$name = $PSScriptRoot + "\" + $MyInvocation.MyCommand.Name
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$name`"" -Verb RunAs; exit }
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$Name = "LimitBlankPasswordUse"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value ` -PropertyType DWORD -Force | Out-Null
This script will automatically run as admin, if not already opened in admin mode
I Also tried the script Raf wrote. I had version 2.0, but I only got it to work with version 4.0