powershellregistrycontent-security-policypolicyregistrykey

Powershell script to report account lockout policy settings?

I have a few computers outside the network, not allowed to have the PS AD module installed.

All I want to do is use Powershell to report some of the account lockout settings, specifically the lockout threshold, lockout duration, and whether this machine is locked out or not.

All I have found during my searches is info using the Active directory PS module. Also, other references dealing with remoteAccess. Neither of which fit my need.

I have also looked for registry keys related to the 'local' lockout settings but have not found anything (E.g. only refs to remoteaccess maxDenial; not the local setting).

Other than firing up gpedit and viewing the local policy, I was hoping there would be a way to use Powershell to simply report the current local settings.

Anyway help/pointers/knowledge would be greatly appreciated.

Solution

  • The discovery of this info, from 'net accounts,' ultimately worked for me, and I was able to write a script that quickly displayed the Lockout policy info. Here is the output from 'net accounts':

    PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    3
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.

    This code snippet was created to get the info into a variable:

    $lockoutObj = net accounts | Select-string threshold
$lockoutStr = $lockoutObj.ToString()
$lockoutStr -match '\d{1,3}' | out-null
$lockoutStr -match 'Never' | out-null
$LO_threshold = $matches[0]

PS C:\Users\Siduser> echo $LO_threshold
3

    If you need to set the lockout threshold use this command (elevated priv. needed):

    PS C:\Users\Siduser> net accounts /lockoutthreshold:10
The command completed successfully

PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    10
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.