Powershell script to report account lockout policy settings?

Question

I have a few computers outside the network, not allowed to have the PS AD module installed.

All I want to do is use Powershell to report some of the account lockout settings, specifically the lockout threshold, lockout duration, and whether this machine is locked out or not.

All I have found during my searches is info using the Active directory PS module. Also, other references dealing with remoteAccess. Neither of which fit my need.

I have also looked for registry keys related to the 'local' lockout settings but have not found anything (E.g. only refs to remoteaccess maxDenial; not the local setting).

Other than firing up gpedit and viewing the local policy, I was hoping there would be a way to use Powershell to simply report the current local settings.

Anyway help/pointers/knowledge would be greatly appreciated.

If they are outside the network, how do you plan to reach them without a remote connection? As for this...'PS AD module installed.', and they don't need it installed to use AD cmdlets. As long as they can reach a DC or a machines with the RSAT tools installed /enabled, you can use implicit PowerShell Remoting to proxy the cmdlets in a running PowerShell session. This is a well-documnted thing, in docs/blogs/articles, all over the web. Otherwise, you need to leverage ADSI. — postanote, Feb 07 '20 at 22:18
@postanote...I reach them via sneakerNet. I walk to them. All I am asking: Is there a way to access this info with a simple PS script, without the ActiveDirectory module installed? I know where the info is via gpedit; can I read it via a PS script? Or grab it with a specific registry key/prop? Sounds like the answer is 'Not Possible'? — BentChainRing, Feb 09 '20 at 02:01
@postanote...They are running Win 10, PS5.1; no AD cmdlets available; the setup is very restricted. — BentChainRing, Feb 09 '20 at 02:11

score 5 · Accepted Answer · edited Dec 20 '22 at 21:48

The discovery of this info, from 'net accounts,' ultimately worked for me, and I was able to write a script that quickly displayed the Lockout policy info. Here is the output from 'net accounts':

PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    3
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.

This code snippet was created to get the info into a variable:

$lockoutObj = net accounts | Select-string threshold
$lockoutStr = $lockoutObj.ToString()
$lockoutStr -match '\d{1,3}' | out-null
$lockoutStr -match 'Never' | out-null
$LO_threshold = $matches[0]

PS C:\Users\Siduser> echo $LO_threshold
3

If you need to set the lockout threshold use this command (elevated priv. needed):

PS C:\Users\Siduser> net accounts /lockoutthreshold:10
The command completed successfully

PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    10
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.

postanote · Answer 2 · 2020-02-10T19:32:01.107

Ah, restricted, then, you are in a proverbial catch22.

Yet, if they are not part of the domain, then that means you or someone had to make these settings manually as well. So, I am not sure how AD cmdlet would have ever come up since these are not domain-joined machines and settings are in the local policy.

So, secedit.exe is your tool for this effort or leverage the PolicyFileEditor module in the MS powershellgallery.com and or one of the others.

Find-Module -Name '*policy*' | Format-Table -AutoSize

Version  Name                                          Repository Description                                                                                       
-------  ----                                          ---------- -----------                                                                                       
...
3.0.1    PolicyFileEditor                              PSGallery  Commands and DSC resource for modifying Administrative Templates settings in local GPO registry...
2.10.0.0 SecurityPolicyDsc                             PSGallery  This module is a wrapper around secedit.exe which provides the ability to configure user rights...
...
0.3      GPRegistryPolicy                              PSGallery  Module with cmdlets to work with GP Registry Policy .pol files                                    
0.2      GPRegistryPolicyParser                        PSGallery  Module with parser cmdlets to work with GP Registry Policy .pol files                             
1.1.0    GPRegistryPolicyDsc                           PSGallery  This resource module contains DSC resources used to apply and manage local group policies by mo...
...
1.0.1    GroupPolicyHelper                             PSGallery  Functions that ease your daily Group Policy Work                                                  
1.3.2    Indented.SecurityPolicy                       PSGallery  Security management functions and resources                                                       
...
1.0      ADPolicyAudit                                 PSGallery  Module to review infrastructure password policy

For Secedit.exe, there are several posts about such a use case and a quick web search using 'secedit lockout policy', would show you that. For example, you could end up with this sort of effort.

Clear-Host
$temp = "D:\temp"
$file = "$temp\pol.txt"
#[string] $readableNames

$outHash = @{}

$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas securitypolicy")
$process.WaitForExit()

$in = get-content $file

foreach ($line in $in) 
{
    if ($line -like "*password*" -or $line -like "*lockout*" -and $line -notlike "machine\*" -and $line -notlike "require*" ) 
    {
        $policy = $line.substring(0,$line.IndexOf("=") - 1)

        switch ($policy){
        "passwordhistorysize"   {$policy = "Enforce Password Policy"}
        "maximumpasswordage"    {$policy = "Maximum Password Age"}
        "minimumpasswordage"    {$policy = "Minimum Password Age"}
        "minimumpasswordlength" {$policy = "Minimum Password Length"}
        "passwordcomplexity"    {$policy = "Password must meet complexity requirements"}
        "cleartextpassword"     {$policy = "Store Passwords Using Reversible Encryption"}
        "lockoutduration"       {$policy = "Account Lockout Duration"}
        "lockoutbadaccount"     {$policy = "Account Lockout Threshold"}
        "resetlockoutcount"     {$policy = "Reset Account Lockout Counter After"}
        }

        $values = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
        #$values =  $values.Trim({}) -split ","

        $outHash.Add($policy,$values) #output edited version
    }
}
$outHash | 
Format-Table -AutoSize

Powershell script to report account lockout policy settings?

2 Answers2