How do I export Account Lockout Policy or Password Policy in Windows via Powershell?

Question

Good Day!

I was trying to find a script or a guide on how to write one, to automate next actions

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies / Local Policies >> Right Click on any policy >> Export Policy to .txt file

Can't find the solution, can someone guide me?

I was searching through JS, pyhton and VBScript forums, hoping someone had the same question. Thought there would be a book or a video with how to do so. Never Lucky.

Answer 1

If you can't install RSAT features on the client, use the [adsisearcher] to quickly query the domain root of the current user domain - it will hold a copy of the account lockout settings (threshold, window, and duration) - you just need to convert the values into something a bit more meaningful:

$domainRoot = ([adsisearcher]"(objectclass=domainDNS)").FindOne()

$propertySelectors = @(
  @{Name='MaxAttempts'; Expression = {$_.Properties['lockoutthreshold'][0]}}
  @{Name='LockoutDuration'; Expression = {[timespan]::FromTicks($_.Properties['lockoutduration'][0])}}
  @{Name='LockoutWindow'; Expression = {[timespan]::FromTicks($_.Properties['lockoutobservationwindow'][0])}}
)

$domainRoot |Select $propertySelectors

For a domain with a default account lockout policy with a threshold of 15 failed attempts over 30 minutes and a 2 hour lockout, the last statement should output something like:

MaxAttempts LockoutDuration LockoutWindow
----------- --------------- -------------
         15 -02:00:00       -00:30:00