Shavlik: Get GPO Password Policy Settings

Version 6

    Author: Shavlik

    Category: Information

    Inputs: None

    Minimum ITScripts engine version required:

    Modifies the target machine: No

    Name: Get GPO Password Policy Settings

    Outputs: GPO password policy settings are written to a CSV file

    Purpose: This script queries the target machine(s) for GPO-based account policy settings.

    Script Version:

    Target Type: Any


    Technical Description:

    The script will output the following information:

    - Machine Name

    - Setting name: Possible values are:

    • Enforce password history (# of passwords remembered)

    • Maximum password age (days)

    • Minimum password age (days)

    • Minimum password length (# of characters)

    • Password must meet complexity requirements (enabled/disabled)

    • Store passwords using reversible encryption (enabled/disabled)

    - Setting Value: Shows the setting and the units. For special cases the script will provide an explanation of the setting.



    The script will provide descriptive errors if it fails to connect to a machine or fails to get account lockout settings.



    Note: To manually monitor a target machine, open Microsoft Management Console (MMC) and go to: local computer policywindows setttingssecurity settingsaccount policiespassword policy.



    Possible Operations Monitor results include:

    "WMI connection to the target machine failed. Access is denied."

    "WMI connection to the target machine failed. The machine may be offline or firewalled."

    "Unable to get GPO password policy settings from a computer in a workgroup"