[TinkeR45]

Hello,

I'd like to automatized the activation of the password complexity (which is located in gpedit.msc). Could you help me ? It's for a XP Pro customised CD.
Thanks

[HØLLØW]

Hi,

I'm also searching for a solution to activate local group-policies with a batch- / cmd-file.



I found a way to set the policies in the windows-registry, but when I'm using these reg-keys, the policy ist sill disabled:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fDisableForcibleLogoff"=dword:00000001
"MaxDisconnectionTime"=dword:000493e0

[MrJinje]

For Group Policy Settings under the GPEDIT.msc "Administrative Templates" Follow this method

1) Install XP - Customize your gpedit.msc by hand.
2) Copy the contents of this folder into your $OEM$ directory on the DVD.

C:\Windows\System32\GroupPolicy

XP_ROOT\$OEM$\$$\System32\GroupPolicy

3) Make ISO and test in VM. If done correctly the machine and user policies will be applied before first login.

I guess if someone wants to batch script the file copy instead of using the OEM folder that could work too. I prefer OEM folder as is less work. Remember to GPUPDATE /FORCE or REBOOT in your batch script. GPUPDATE /FORCE is not needed for OEM method, as the machine reboots automatically.

For Local Security Policies See Post #6

This post has been edited by MrJinje: 29 November 2009 - 06:38 PM

[TinkeR45]

Hello,

First, I'd like to thank you both for your answers!

MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.
-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32
-Created a .iso with nLite
-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Also I found something about it here: http://www.hydre.org/drupal/node/14 (it's in French)

Basically it explains that the key concerning the password complexity is located in HKLM\SAM\SAM\Domains\Account\F which is unaccesible without using psexec.

To see it, you'll have to type in command line psexec -s -i -d c:\windows\regedit.exe.

Open the F key:

00000000 02 00 01 00 00 00 00 00 - 86 13 ff ee 53 4f c9 01 ..........ÿîSOÉ.
00000010 2d 00 00 00 00 00 00 00 - 00 c0 53 7d fb ee fc ff -........ÀS}ûîüÿ
00000020 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 80 ................
00000030 00 cc 1d cf fb ff ff ff - 00 cc 1d cf fb ff ff ff .Ì.Ïûÿÿÿ.Ì.Ïûÿÿÿ
00000040 00 00 00 00 00 00 00 00 - ec 03 00 00 00 00 00 00 ........ì.......
00000050 00 00 18 00 00 00 00 00 - 01 00 00 00 03 00 00 00 ................
00000060 01 00 00 00 01 00 01 00 - 01 00 00 00 38 00 00 00 ............8...
00000070 8e e1 10 7b 7b 28 30 53 - c9 a0 a2 98 e8 92 50 14 .á.{{(0SÉ ¢.è.P.
00000080 86 10 6a 00 42 46 39 7c - 73 ef d8 ed 63 94 07 d7 ..j.BF9|sïØíc..×
00000090 b1 38 60 64 b5 68 26 ac - 72 42 60 a0 82 41 98 7b ±8`dµh&¬rB` .A.{
000000a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000e0 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 00 00 ................

The digit in red is the one that concerns the password complexity. If it's 0=>no pw complexity required, if 1=>pw complexity required.

I tried to export/import the modified .reg file but it didn't work neither...

This post has been edited by TinkeR45: 26 November 2009 - 04:55 AM

[IcemanND]

I believe you can do this using the windows built in secedit.exe tool

[MrJinje]

TinkeR45, on Nov 26 2009, 04:42 AM, said:

MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.
-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32
-Created a .iso with nLite
-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates"

Here is the default policy, I was able to edit the file and import it via secedit.exe

C:\WINDOWS\security\templates\Setup Security.inf

Make a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.

Quote

PasswordComplexity = 0

to this

Quote

PasswordComplexity = 1

Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIF

Quote

secedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet

Above script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.

The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error.

This post has been edited by MrJinje: 26 November 2009 - 12:38 PM

[TinkeR45]

Thanks a lot that worked fine!

I integrated the command in a .bat files launched by my cmdlines.txt:

@echo off

start /wait regedit.exe /s ie_title.reg

net user "Admin" "info-logic" /add
net localgroup Administrateurs "Admin" /add
start /wait regedit.exe /s compte.reg

net user "PC1" /add
net localgroup "Utilisateurs" "PC1" /add

net stop RemoteRegistry

secedit.exe /configure /cfg %systemdrive%\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet

del /Q %systemdrive%\secedited.inf

But I've a new problem now: before that, I could see both users (Admin and PC1), now I only can see Admin, PC1 seems to be created but I can't login with anymore, I have no choice but Admin

This post has been edited by TinkeR45: 27 November 2009 - 08:46 AM

[MrJinje]

Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix.

net user PC1 /active:yes

If it works, then add that to your batch file.

Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default.

This post has been edited by MrJinje: 27 November 2009 - 01:24 PM

[HØLLØW]

MrJinje, on Nov 26 2009, 07:37 PM, said:

TinkeR45, on Nov 26 2009, 04:42 AM, said:

MrJinje, I tried your method but it didn't work. Here is what I did exactly:

-Launched gpedit.msc, change password settings then Exit.
-Copied the folder GroupPolicy from the system32 directory to myXpRoot\$OEM$\$$\system32
-Created a .iso with nLite
-Virtualized with Sun Virtualbox, but nothing happened, even after a gpupdate /force I could create an user with a basic password.

Iceman is right, the password setting is part of the local security policy and not part of the "Administrative Templates"

Here is the default policy, I was able to edit the file and import it via secedit.exe

C:\WINDOWS\security\templates\Setup Security.inf

Make a copy of Setup Security.inf, rename the copy secedited.inf, and change this setting from this.

Quote

PasswordComplexity = 0

to this

Quote

PasswordComplexity = 1

Edit this command to suit your file names/paths. Should be able to schedule this via RunOnceEx in your WINNT.SIF

Quote

secedit.exe /configure /cfg C:\secedited.inf /db C:\WINDOWS\security\Database\secedited.db /quiet

Above script expects the file to be here XP_ROOT\$OEM$\$1\secedited.inf.

The secedited.db file did not exist until after I ran this script, so don't ask where to find it, the script is creating it. If that doesn't work, re-run it without the /QUIET and report back any error.

That sounds very good, I'll also try it when I'm on my testing-environment.


Thank you very much.

This post has been edited by HØLLØW: 29 November 2009 - 06:17 AM

[HØLLØW]

Hi guys,

is there an option in the "security.inf" file to set the following policies:

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account"

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions"

This post has been edited by HØLLØW: 29 November 2009 - 01:33 PM

[MrJinje]

HØLLØW, on Nov 29 2009, 01:32 PM, said:

Hi guys,

is there an option in the "security.inf" file to set the following policies:

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> "Deny logoff an administrative account"

- Computerconfiguration -> Administrative Templates -> Windows-Components -> Terminal Services -> Sessions -> "Timelimit for disconnected Sessions"

No the "Administrative Templates" section of GPEDIT.msc settings are contained in the C:\Windows\System32\GroupPolicy folder. Use method listed in the third post.

That method didn't work for the OP because I failed to remember the local security (SECPOL.msc) policy was included inside the GPEDIT.MSC. See my second post. It should work for you since both your settings are "Group Policies" per se.

[TinkeR45]

MrJinje, on Nov 27 2009, 08:22 PM, said:

Go into Computer Management > Users and Groups > and double click on user PC1 - Tell me if that account is currently "disabled", if so here is easy fix.

net user PC1 /active:yes

If it works, then add that to your batch file.

Guess the "Setup Security.inf" had a few extra settings in it I wasn't expecting. If I remember right, there was a setting that creates all accounts as disabled by default. Instead of activating each account, another option might be to find that setting in the .INF file, change it there, so accounts don't get disabled by default.

The user PC1 was already enabled. I checked the file secedited.inf but I didn't find anything. I first thought that PC1 (no password for it) couldn't work because of the password complexity and the minimum length required for it (7 here). But the password for Admin is "info-logic" so okay it's more than 7 but I don't think it respects the complexity rule neither.


UPDATE: Okay, when I restart the computer, the user PC1 finally appeared. But I'd like to have this user available in the first log on.

This post has been edited by TinkeR45: 02 December 2009 - 03:18 AM

[TinkeR45]

In fact, it depends: sometimes PC1 appeared after reboot, sometimes no.

But nevermind, what I want is to have the choice at the first log in between Admin and PC1, please someone? MrJinje ;p