1
My Windows 8.1 laptop does not have gpedit.msc. I want to configure my laptop so that the account is locked for 15 mins if anyone enters the wrong password three times.
I have found some web pages with links to install gpedit, but I am not sure I can trust the source of the download.
Is there a way to accomplish this without gpedit using a powershell script?
user584583
Posted 2015-01-29T19:43:34.827
Reputation: 13
1
This is a bit tricky because those settings are stored in the SAM part of the registry which is not easily available to a script or users, the settings are in binary format in
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F]
One way to change this is to create a text file like C:\NewLockoutSettings.txt with this content:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
LockoutBadCount = 3
ResetLockoutCount = 15
LockoutDuration = 15
Then use the file as the input for secedit.exe like this:
secedit.exe /configure /db "secedit.sdb" /cfg C:\NewLockoutSettings.txt
The text file is called a security template and you apply it against the standard security database.
Of course you have to run this as an elevated administrator, and I would test this on a VM before applying it on a production machine.
Peter Hahndorf
Posted 2015-01-29T19:43:34.827
Reputation: 10 677
Impressive hack, I think I might stick with gpedit.msc I might be able to get gpedit.msc off of a friends computer. – user584583 – 2015-01-30T02:21:08.113