I'm looking to define a security policy via Kaseya script specifically around the Local Security settings Policy in Windows 10. We have a client with a local work group environment where we want to enforce password age, length and complexity.
The scrip in a forum post I found in Kaseya (https://community.kaseya.com/xsp/f/28/p/23676/107069.aspx#107069) for the post part works, but line 5 of that script is not enabling the "Password must meet complexity requirements" in Windows 10 Local Security Policy.
Is this a Powershell is where that script does not have secedit built into the script to enable to the feature or am I potentially missing something? Here's my copy of the script.
Any help would be greatly appreciated in this matter.
Can you confirm that the secpol.cfg file is being created and populated with data?
Yes I can confirm the secpol.cfg file is being created. I created a copy of the procedure and deleted line 8 so that it would not delete the secpol.cfg file after running. It's a 17 KB file.
Try changing that line 5 executePowershell to executePowershellcommand32BitSystem or executePowershellcommand64BitSystem. Not the first time when that executePowershell command does not work properly.
I created two additional test procedures, one using the "executePowershellcommand32BitSystem" and the other using the "executePowershellcommand64BitSystem" as you suggested. I tried both procedures on 3 separate machines that are not on a domain, everything except line 5 is working in the procedure to Enable the Password complexity requirements. Any additional thoughts?
nevermind, PS one-liner syntax has changed.
Try changing the PS one-liner to this: (gc #vAgentConfiguration.agentTempDir#\secpol.cfg) -replace 'PasswordComplexity = 0', 'PasswordComplexity = 1' | Out-File #vAgentConfiguration.agentTempDir#\secpol.cfg
After running that, open secpol.cfg with notepad and verify that PasswordComplexity has really changed from 0 to 1.
Made the change to the script as you suggested. After running it I checked the secpol.cfg file with notepad and PasswordComplexity is now shown as "PasswordComplexity = 1" from within notepad. Does this mean the script is in fact making the change despite local security policy still showing as disabled? Or is it still not working?
I just tried changing my password after running the script (after making the change to the script), doesn't look like password complexity is enforced.
I dunno whats wrong on your end but I got it working after changing that PS one-liner syntax. Maybe try running those commands in the command line and see how they work there?
I was able to get the password complexity working right with the latest update. However, I am also trying to extend the script to include the rest of the password policy. The version attached works for everything except Lockout Window and Lockout Duration. Our goal is for the Window to be something significant like the 12 hours shown (people only log on a few times a day) and for the duration to be “until reset by an administrator”. This is simple to configure in the GUI but even directly on the command line, I can’t get a duration of 0 unless the window is also 0……hopefully someone here will have an idea.