3

I need to automatically set the following local password policies on a number of standalone Windows 2008 Server machines:

Maximum password Age
Minimum password Length
Password must meet minimum complexity requirements

Are there registry settings for these settings? Googling around suggested the following keys:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]

Sadly they don't seem to apply to Windows 2008.

Kev
  • 7,877
  • 18
  • 81
  • 108

2 Answers2

10

The items you wnat to change are stored in the registry, but not in a place that you really want to be playing around "by hand".

Since these aren't domain-member computers, you'll want to change these items in the local security policy. You can get there quickly by running "SECPOL.MSC" from the "Start" button. Dig into "Account Policies" and "Password Policy" and you'll find the settings you're looking for.

After you modify the settings either reboot or run "GPUPDATE" to cause the changed settings to take effect.

If you have any number of machines to do this to you can use the "Export Settings..." functionality in the Security Policy editor to export the settings to an INF file. To apply that INF file on other servers, copy the INF file over to them and execute:

SECEDIT /configure /db secedit.sdb /cfg <Path to the exported.inf>
Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • 2
    The developer in me initially read your answer and thought, "yeah yeah, just gimme the registry locations...". Then I watched the registry activity taking place when I updated some of these values in ProcMon. I see what you mean. This is very bloody handy. I have some code I wrote a while back to amend User Rights Assignments (via Win32 API/ADVAPI32.dll), it was fairly painful stuff. If I'd known I could do this back then it'd saved me some hair. Much appreciated. Maybe one day I'll get round to reading that big pile of Reskit books and learn some more shortcuts. – Kev Dec 07 '09 at 01:15
5

I think the right way to do this is to create a security template and apply it to each machine via secedit.exe

If it's only a few servers, you can edit the policy directly with local group policy via gpedit.msc under:
Computer Configuration->Windows Settings->Security Settings-Account Policies->Password Policies

EDIT: As always Evan is right. Just to clarify, here's the process

  • Configure one server with the security settings you want.

  • Export the security policy to a template, either using the mmc, or by using the following secedit command as an elevated administrator: 

    secedit /export /cfg mytemplate.inf /log mylog.txt

  • Import the template by running this on each server: 

    secedit /import /db secedit.sdb /cfg mytemplate.inf

You can open up the inf file and delete the policies you don't want to import. i.e. in case they need to be different on each server such as event log settings, privilege rights. Alternativley you can use the /AREAS switch to only import part of the template. such as /areas SECURITYPOLICY

Nick Kavadias
  • 10,796
  • 7
  • 37
  • 47
  • Nick thanks for the answer, gonna give Evan the green tick seeing as he got there first with the command line bits. But +1 though. – Kev Dec 07 '09 at 01:18