用于报告帐户锁定策略设置的 Powershell 脚本?

Powershell script to report account lockout policy settings?

我有几台外网电脑,不允许安装PSAD模块

我只想使用 Powershell 报告一些帐户锁定设置,特别是锁定阈值、锁定持续时间以及这台机器是否被锁定。

我在搜索过程中发现的所有信息都是使用活动目录 PS 模块的信息。此外,还有其他涉及远程访问的参考资料。 两者都不符合我的需要。

我还寻找了与 'local' 锁定设置相关的 注册表项 但没有找到任何东西(例如,仅参考 remoteaccess maxDenial;不是本地设置) .

除了启动 gpedit 和查看本地策略外,我还希望有一种方法可以使用 Powershell 来简单地报告当前的本地设置。

无论如何 help/pointers/knowledge 将不胜感激。

啊,受限了,那你就中了众所周知的陷阱。

但是,如果它们不是域的一部分,则意味着您或其他人也必须手动进行这些设置。因此,我不确定 AD cmdlet 是如何出现的,因为这些不是加入域的机器并且设置在本地策略中。

因此,secedit.exe 是您完成这项工作的工具,或者利用 MS powershellgallery.com 和/或其他模块中的 PolicyFileEditor 模块。

Find-Module -Name '*policy*' | Format-Table -AutoSize

Version  Name                                          Repository Description                                                                                       
-------  ----                                          ---------- -----------                                                                                       
...
3.0.1    PolicyFileEditor                              PSGallery  Commands and DSC resource for modifying Administrative Templates settings in local GPO registry...
2.10.0.0 SecurityPolicyDsc                             PSGallery  This module is a wrapper around secedit.exe which provides the ability to configure user rights...
...
0.3      GPRegistryPolicy                              PSGallery  Module with cmdlets to work with GP Registry Policy .pol files                                    
0.2      GPRegistryPolicyParser                        PSGallery  Module with parser cmdlets to work with GP Registry Policy .pol files                             
1.1.0    GPRegistryPolicyDsc                           PSGallery  This resource module contains DSC resources used to apply and manage local group policies by mo...
...
1.0.1    GroupPolicyHelper                             PSGallery  Functions that ease your daily Group Policy Work                                                  
1.3.2    Indented.SecurityPolicy                       PSGallery  Security management functions and resources                                                       
...
1.0      ADPolicyAudit                                 PSGallery  Module to review infrastructure password policy 

对于 Secedit.exe,有几篇关于此类用例和使用 'secedit lockout policy', would show you that. For example, you could end up with this sort of effort 进行快速网络搜索的帖子。

Clear-Host
$temp = "D:\temp"
$file = "$temp\pol.txt"
#[string] $readableNames

$outHash = @{}

$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas securitypolicy")
$process.WaitForExit()

$in = get-content $file

foreach ($line in $in) 
{
    if ($line -like "*password*" -or $line -like "*lockout*" -and $line -notlike "machine\*" -and $line -notlike "require*" ) 
    {
        $policy = $line.substring(0,$line.IndexOf("=") - 1)

        switch ($policy){
        "passwordhistorysize"   {$policy = "Enforce Password Policy"}
        "maximumpasswordage"    {$policy = "Maximum Password Age"}
        "minimumpasswordage"    {$policy = "Minimum Password Age"}
        "minimumpasswordlength" {$policy = "Minimum Password Length"}
        "passwordcomplexity"    {$policy = "Password must meet complexity requirements"}
        "cleartextpassword"     {$policy = "Store Passwords Using Reversible Encryption"}
        "lockoutduration"       {$policy = "Account Lockout Duration"}
        "lockoutbadaccount"     {$policy = "Account Lockout Threshold"}
        "resetlockoutcount"     {$policy = "Reset Account Lockout Counter After"}
        }

        $values = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
        #$values =  $values.Trim({}) -split ","

        $outHash.Add($policy,$values) #output edited version
    }
}
$outHash | 
Format-Table -AutoSize

从 'net accounts,' 中发现此信息最终对我有用,我能够编写一个脚本来快速显示锁定策略信息。这是 'net accounts' 的输出:

PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    3
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.

创建此代码段是为了将信息放入变量中:

$lockoutObj = net accounts | Select-string threshold
$lockoutStr = $lockoutObj.ToString()
$lockoutStr -match '\d{1,3}' | out-null
$LO_threshold = $matches[0]

PS C:\Users\Siduser> echo $LO_threshold
3

如果您需要设置锁定阈值,请使用此命令(需要提升权限):

PS C:\Users\Siduser> net accounts /lockoutthreshold:10
The command completed successfully

PS C:\Users\Siduser> net accounts

Force user logoff how long after time expires?:       0
Minimum password age (days):                          1
Maximum password age (days):                          60
Minimum password length:                              14
Length of password history maintained:                24
Lockout threshold:                                    10
Lockout duration (minutes):                           15
Lockout observation window (minutes):                 15
Computer role:                                        WORKSTATION
The command completed successfully.