Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


TinkeR45

Password Complexity (automatic)

Recommended Posts

Hello,

I'd like to automatized the activation of the password complexity (which is located in gpedit.msc). Could you help me ? It's for a XP Pro customised CD.

Thanks

Share this post


Link to post
Share on other sites

Hi,

I'm also searching for a solution to activate local group-policies with a batch- / cmd-file.

I found a way to set the policies in the windows-registry, but when I'm using these reg-keys, the policy ist sill disabled:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fDisableForcibleLogoff"=dword:00000001
"MaxDisconnectionTime"=dword:000493e0

Share this post


Link to post
Share on other sites

For Group Policy Settings under the GPEDIT.msc "Administrative Templates" Follow this method

1) Install XP - Customize your gpedit.msc by hand.

2) Copy the contents of this folder into your $OEM$ directory on the DVD.

C:\Windows\System32\GroupPolicy

XP_ROOT\$OEM$\$$\System32\GroupPolicy

3) Make ISO and test in VM. If done correctly the machine and user policies will be applied before first login.

I guess if someone wants to batch script the file copy instead of using the OEM folder that could work too. I prefer OEM folder as is less work. Remember to GPUPDATE /FORCE or REBOOT in your batch script. GPUPDATE /FORCE is not needed for OEM method, as the machine reboots automatically.

For Local Security Policies See Post #6

Edited by MrJinje

Share this post


Link to post
Share on other sites

Hello,

First, I'd like to thank you both for your answers!

MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.

-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32

-Created a .iso with nLite

-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Also I found something about it here: http://www.hydre.org/drupal/node/14 (it's in French)

Basically it explains that the key concerning the password complexity is located in HKLM\SAM\SAM\Domains\Account\F which is unaccesible without using psexec.

To see it, you'll have to type in command line psexec -s -i -d c:\windows\regedit.exe.

Open the F key:

00000000 02 00 01 00 00 00 00 00 - 86 13 ff ee 53 4f c9 01 ..........ÿîSOÉ.

00000010 2d 00 00 00 00 00 00 00 - 00 c0 53 7d fb ee fc ff -........ÀS}ûîüÿ

00000020 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 80 ................

00000030 00 cc 1d cf fb ff ff ff - 00 cc 1d cf fb ff ff ff .Ì.Ïûÿÿÿ.Ì.Ïûÿÿÿ

00000040 00 00 00 00 00 00 00 00 - ec 03 00 00 00 00 00 00 ........ì.......

00000050 00 00 18 00 00 00 00 00 - 01 00 00 00 03 00 00 00 ................

00000060 01 00 00 00 01 00 01 00 - 01 00 00 00 38 00 00 00 ............8...

00000070 8e e1 10 7b 7b 28 30 53 - c9 a0 a2 98 e8 92 50 14 .á.{{(0SÉ ¢.è.P.

00000080 86 10 6a 00 42 46 39 7c - 73 ef d8 ed 63 94 07 d7 ..j.BF9|sïØíc..×

00000090 b1 38 60 64 b5 68 26 ac - 72 42 60 a0 82 41 98 7b ±8`dµh&¬rB` .A.{

000000a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

000000b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

000000c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

000000d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

000000e0 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ................

The digit in red is the one that concerns the password complexity. If it's 0=>no pw complexity required, if 1=>pw complexity required.

I tried to export/import the modified .reg file but it didn't work neither...

Edited by TinkeR45

Share this post


Link to post
Share on other sites

I believe you can do this using the windows built in secedit.exe tool

Share this post


Link to post
Share on other sites
MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.

-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32

-Created a .iso with nLite

-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates"

Here is the default policy, I was able to edit the file and import it via secedit.exe

C:\WINDOWS\security\templates\Setup Security.inf

Make a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.

PasswordComplexity = 0
to this
PasswordComplexity = 1
Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIF
secedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet
Above script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.

The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error.

Edited by MrJinje

Share this post


Link to post
Share on other sites

Thanks a lot that worked fine!

I integrated the command in a .bat files launched by my cmdlines.txt:

@echo off

start /wait regedit.exe /s ie_title.reg

net user "Admin" "info-logic" /add
net localgroup Administrateurs "Admin" /add
start /wait regedit.exe /s compte.reg

net user "PC1" /add
net localgroup "Utilisateurs" "PC1" /add

net stop RemoteRegistry

secedit.exe /configure /cfg %systemdrive%\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet

del /Q %systemdrive%\secedited.inf

But I've a new problem now: before that, I could see both users (Admin and PC1), now I only can see Admin, PC1 seems to be created but I can't login with anymore, I have no choice but Admin

Edited by TinkeR45

Share this post


Link to post
Share on other sites

Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix.

net user PC1 /active:yes

If it works, then add that to your batch file.

Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default.

Edited by MrJinje

Share this post


Link to post
Share on other sites
MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.

-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32

-Created a .iso with nLite

-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates"

Here is the default policy, I was able to edit the file and import it via secedit.exe

C:\WINDOWS\security\templates\Setup Security.inf

Make a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.

PasswordComplexity = 0
to this
PasswordComplexity = 1
Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIF
secedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet
Above script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.

The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error.

That sounds very good, I'll also try it when I'm on my testing-environment.

Thank you very much.

Edited by HØLLØW

Share this post


Link to post
Share on other sites

Hi guys,

is there an option in the "security.inf" file to set the following policies:

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account"

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions"

Edited by HØLLØW

Share this post


Link to post
Share on other sites
Hi guys,

is there an option in the "security.inf" file to set the following policies:

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account"

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions"

No the "Administrative Templates" section of GPEDIT.msc settings are contained in the C:\Windows\System32\GroupPolicy folder. Use method listed in the third post.

That method didn't work for the OP because I failed to remember the local security (SECPOL.msc) policy was included inside the GPEDIT.MSC. See my second post. It should work for you since both your settings are "Group Policies" per se.

Share this post


Link to post
Share on other sites
Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix.

net user PC1 /active:yes

If it works, then add that to your batch file.

Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default.

The user PC1 was already enabled. I checked the file secedited.inf but I didn't find anything. I first thought that PC1 (no password for it) couldn't work because of the password complexity and the minimum length required for it (7 here). But the password for Admin is "info-logic" so okay it's more than 7 but I don't think it respects the complexity rule neither.

UPDATE: Okay, when I restart the computer, the user PC1 finally appeared. But I'd like to have this user available in the first log on.

Edited by TinkeR45

Share this post


Link to post
Share on other sites

In fact, it depends: sometimes PC1 appeared after reboot, sometimes no.

But nevermind, what I want is to have the choice at the first log in between Admin and PC1, please someone? MrJinje ;p

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...