TinkeR45 Posted November 24, 2009 Share Posted November 24, 2009 Hello,I'd like to automatized the activation of the password complexity (which is located in gpedit.msc). Could you help me ? It's for a XP Pro customised CD.Thanks Link to comment Share on other sites More sharing options...
HØLLØW Posted November 25, 2009 Share Posted November 25, 2009 Hi,I'm also searching for a solution to activate local group-policies with a batch- / cmd-file.I found a way to set the policies in the windows-registry, but when I'm using these reg-keys, the policy ist sill disabled:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]"fDisableForcibleLogoff"=dword:00000001"MaxDisconnectionTime"=dword:000493e0 Link to comment Share on other sites More sharing options...
MrJinje Posted November 25, 2009 Share Posted November 25, 2009 (edited) For Group Policy Settings under the GPEDIT.msc "Administrative Templates" Follow this method1) Install XP - Customize your gpedit.msc by hand.2) Copy the contents of this folder into your $OEM$ directory on the DVD.C:\Windows\System32\GroupPolicy XP_ROOT\$OEM$\$$\System32\GroupPolicy3) Make ISO and test in VM. If done correctly the machine and user policies will be applied before first login.I guess if someone wants to batch script the file copy instead of using the OEM folder that could work too. I prefer OEM folder as is less work. Remember to GPUPDATE /FORCE or REBOOT in your batch script. GPUPDATE /FORCE is not needed for OEM method, as the machine reboots automatically.For Local Security Policies See Post #6 Edited November 30, 2009 by MrJinje Link to comment Share on other sites More sharing options...
TinkeR45 Posted November 26, 2009 Author Share Posted November 26, 2009 (edited) Hello,First, I'd like to thank you both for your answers!MrJinje, I tried your method but it didn't work. Here is what I did exactly:-Launched gpedit.msc, change password settings then Exit.-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32-Created a .iso with nLite-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.Also I found something about it here: http://www.hydre.org/drupal/node/14 (it's in French)Basically it explains that the key concerning the password complexity is located in HKLM\SAM\SAM\Domains\Account\F which is unaccesible without using psexec.To see it, you'll have to type in command line psexec -s -i -d c:\windows\regedit.exe.Open the F key:00000000 02 00 01 00 00 00 00 00 - 86 13 ff ee 53 4f c9 01 ..........ÿîSOÉ.00000010 2d 00 00 00 00 00 00 00 - 00 c0 53 7d fb ee fc ff -........ÀS}ûîüÿ00000020 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 80 ................00000030 00 cc 1d cf fb ff ff ff - 00 cc 1d cf fb ff ff ff .Ì.Ïûÿÿÿ.Ì.Ïûÿÿÿ00000040 00 00 00 00 00 00 00 00 - ec 03 00 00 00 00 00 00 ........ì.......00000050 00 00 18 00 00 00 00 00 - 01 00 00 00 03 00 00 00 ................00000060 01 00 00 00 01 00 01 00 - 01 00 00 00 38 00 00 00 ............8...00000070 8e e1 10 7b 7b 28 30 53 - c9 a0 a2 98 e8 92 50 14 .á.{{(0SÉ ¢.è.P.00000080 86 10 6a 00 42 46 39 7c - 73 ef d8 ed 63 94 07 d7 ..j.BF9|sïØíc..×00000090 b1 38 60 64 b5 68 26 ac - 72 42 60 a0 82 41 98 7b ±8`dµh&¬rB` .A.{000000a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................000000b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................000000c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................000000d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................000000e0 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ................The digit in red is the one that concerns the password complexity. If it's 0=>no pw complexity required, if 1=>pw complexity required.I tried to export/import the modified .reg file but it didn't work neither... Edited November 26, 2009 by TinkeR45 Link to comment Share on other sites More sharing options...
IcemanND Posted November 26, 2009 Share Posted November 26, 2009 I believe you can do this using the windows built in secedit.exe tool Link to comment Share on other sites More sharing options...
MrJinje Posted November 26, 2009 Share Posted November 26, 2009 (edited) MrJinje, I tried your method but it didn't work. Here is what I did exactly:-Launched gpedit.msc, change password settings then Exit.-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32-Created a .iso with nLite-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates" Here is the default policy, I was able to edit the file and import it via secedit.exeC:\WINDOWS\security\templates\Setup Security.infMake a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.PasswordComplexity = 0to thisPasswordComplexity = 1Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIFsecedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quietAbove script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error. Edited November 26, 2009 by MrJinje Link to comment Share on other sites More sharing options...
TinkeR45 Posted November 27, 2009 Author Share Posted November 27, 2009 (edited) Thanks a lot that worked fine!I integrated the command in a .bat files launched by my cmdlines.txt:@echo offstart /wait regedit.exe /s ie_title.regnet user "Admin" "info-logic" /addnet localgroup Administrateurs "Admin" /addstart /wait regedit.exe /s compte.regnet user "PC1" /addnet localgroup "Utilisateurs" "PC1" /addnet stop RemoteRegistrysecedit.exe /configure /cfg %systemdrive%\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quietdel /Q %systemdrive%\secedited.infBut I've a new problem now: before that, I could see both users (Admin and PC1), now I only can see Admin, PC1 seems to be created but I can't login with anymore, I have no choice but Admin Edited November 27, 2009 by TinkeR45 Link to comment Share on other sites More sharing options...
MrJinje Posted November 27, 2009 Share Posted November 27, 2009 (edited) Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix. net user PC1 /active:yesIf it works, then add that to your batch file. Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default. Edited November 27, 2009 by MrJinje Link to comment Share on other sites More sharing options...
HØLLØW Posted November 29, 2009 Share Posted November 29, 2009 (edited) MrJinje, I tried your method but it didn't work. Here is what I did exactly:-Launched gpedit.msc, change password settings then Exit.-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32-Created a .iso with nLite-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates" Here is the default policy, I was able to edit the file and import it via secedit.exeC:\WINDOWS\security\templates\Setup Security.infMake a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.PasswordComplexity = 0to thisPasswordComplexity = 1Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIFsecedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quietAbove script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error.That sounds very good, I'll also try it when I'm on my testing-environment.Thank you very much. Edited November 29, 2009 by HØLLØW Link to comment Share on other sites More sharing options...
HØLLØW Posted November 29, 2009 Share Posted November 29, 2009 (edited) Hi guys,is there an option in the "security.inf" file to set the following policies: - Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account" - Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions" Edited November 29, 2009 by HØLLØW Link to comment Share on other sites More sharing options...
MrJinje Posted November 29, 2009 Share Posted November 29, 2009 Hi guys,is there an option in the "security.inf" file to set the following policies: - Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account" - Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions"No the "Administrative Templates" section of GPEDIT.msc settings are contained in the C:\Windows\System32\GroupPolicy folder. Use method listed in the third post. That method didn't work for the OP because I failed to remember the local security (SECPOL.msc) policy was included inside the GPEDIT.MSC. See my second post. It should work for you since both your settings are "Group Policies" per se. Link to comment Share on other sites More sharing options...
TinkeR45 Posted December 2, 2009 Author Share Posted December 2, 2009 (edited) Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix. net user PC1 /active:yesIf it works, then add that to your batch file. Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default.The user PC1 was already enabled. I checked the file secedited.inf but I didn't find anything. I first thought that PC1 (no password for it) couldn't work because of the password complexity and the minimum length required for it (7 here). But the password for Admin is "info-logic" so okay it's more than 7 but I don't think it respects the complexity rule neither.UPDATE: Okay, when I restart the computer, the user PC1 finally appeared. But I'd like to have this user available in the first log on. Edited December 2, 2009 by TinkeR45 Link to comment Share on other sites More sharing options...
TinkeR45 Posted December 4, 2009 Author Share Posted December 4, 2009 In fact, it depends: sometimes PC1 appeared after reboot, sometimes no.But nevermind, what I want is to have the choice at the first log in between Admin and PC1, please someone? MrJinje ;p Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now