Reporting Account Lockout Policy Settings using Powershell Script

My objective is to utilize Powershell to generate a report that contains certain details regarding account lockout configurations. These details include the lockout threshold and duration, as well as the status of this machine’s lockout. Additionally, there is an attribute that determines the observation window for user account lockouts.

Question:

I possess some computers that are situated outside of the network, which are not authorized to possess the PS AD module.

My objective is to utilize Powershell for generating a report on certain account lockout configurations. Specifically, I need to obtain information on the lockout threshold, duration, and determine if the machine is currently locked out.

The information I came across during my searches pertained to the Active directory PS module and remoteAccess. However, none of it was relevant to my requirements.

In addition to searching, I have also checked the registry for any keys that pertain to the lockout settings for the local system. However, my search yielded no results. I only found references to the maxDenial setting for remote access, but not for the local setting.

Besides launching the gpedit tool to access the local policy, I was looking for a method to utilize Powershell for generating a report on the present local configurations.

Any assistance, guidance, or expertise provided would be highly valued.


Solution 1:

By discovering the information from ‘net accounts,’ I was able to successfully create a script that rapidly showed the Lockout policy details. The resulting output from ‘net accounts’ is provided below.

PS C:UsersSiduser> net accounts
Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    3
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.

The purpose of this code snippet was to store information in a variable.

$lockoutObj = net accounts | Select-string threshold
$lockoutStr = $lockoutObj.ToString()
$lockoutStr -match 'd{1,3}' | out-null
$LO_threshold = $matches[0]
PS C:UsersSiduser> echo $LO_threshold
3

This command (elevated priv. required) is used to set the lockout threshold.

PS C:UsersSiduser> net accounts /lockoutthreshold:10
The command completed successfully
PS C:UsersSiduser> net accounts
Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    10
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.


Solution 2:


You find yourself in a figurative dilemma if you are limited in some way.

In case these machines are not joined to the domain, it implies that the settings were manually configured by you or someone else. Therefore, I am uncertain about the relevance of AD cmdlet, given that the settings reside in the local policy.

Utilize either
secedit.exe
or the PolicyFileEditor module found in MS powershellgallery.com, among other options, to accomplish this task.

Find-Module -Name '*policy*' | Format-Table -AutoSize
Version  Name                                          Repository Description                                                                                       
-------  ----                                          ---------- -----------                                                                                       
...
3.0.1    PolicyFileEditor                              PSGallery  Commands and DSC resource for modifying Administrative Templates settings in local GPO registry...
2.10.0.0 SecurityPolicyDsc                             PSGallery  This module is a wrapper around secedit.exe which provides the ability to configure user rights...
...
0.3      GPRegistryPolicy                              PSGallery  Module with cmdlets to work with GP Registry Policy .pol files                                    
0.2      GPRegistryPolicyParser                        PSGallery  Module with parser cmdlets to work with GP Registry Policy .pol files                             
1.1.0    GPRegistryPolicyDsc                           PSGallery  This resource module contains DSC resources used to apply and manage local group policies by mo...
...
1.0.1    GroupPolicyHelper                             PSGallery  Functions that ease your daily Group Policy Work                                                  
1.3.2    Indented.SecurityPolicy                       PSGallery  Security management functions and resources                                                       
...
1.0      ADPolicyAudit                                 PSGallery  Module to review infrastructure password policy 

Multiple online resources discuss the utilization of Secedit.exe for implementing lockout policies. A simple internet search with the keywords ‘secedit lockout policy’ would provide you with numerous results. You might come across various examples of the implementation process.

Clear-Host
$temp = "D:temp"
$file = "$temppol.txt"
#[string] $readableNames
$outHash = @{}
$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas securitypolicy")
$process.WaitForExit()
$in = get-content $file
foreach ($line in $in) 
{
    if ($line -like "*password*" -or $line -like "*lockout*" -and $line -notlike "machine*" -and $line -notlike "require*" ) 
    {
        $policy = $line.substring(0,$line.IndexOf("=") - 1)
        switch ($policy){
        "passwordhistorysize"   {$policy = "Enforce Password Policy"}
        "maximumpasswordage"    {$policy = "Maximum Password Age"}
        "minimumpasswordage"    {$policy = "Minimum Password Age"}
        "minimumpasswordlength" {$policy = "Minimum Password Length"}
        "passwordcomplexity"    {$policy = "Password must meet complexity requirements"}
        "cleartextpassword"     {$policy = "Store Passwords Using Reversible Encryption"}
        "lockoutduration"       {$policy = "Account Lockout Duration"}
        "lockoutbadaccount"     {$policy = "Account Lockout Threshold"}
        "resetlockoutcount"     {$policy = "Reset Account Lockout Counter After"}
        }
        $values = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
        #$values =  $values.Trim({}) -split ","
        $outHash.Add($policy,$values) #output edited version
    }
}
$outHash | 
Format-Table -AutoSize

Frequently Asked Questions