Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @echo off
- :Author
- color 0E
- ECHO #################################################################
- ECHO # #
- ECHO # Bharat Babbar #
- ECHO # Bharatbabbar28@gmail.com #
- ECHO # #
- ECHO # Donate Bitcoins :- 15XgKbvduGygsNc1eUfkb2h5B5Q5su3X1V #
- ECHO # Donate Etheriums:- 0xEdf3bbB6457ec13ACb13690A693b1952B9E2BF69 #
- ECHO # #
- ECHO #################################################################
- pause
- cls
- :INFO
- color F1
- echo **************************************************************************************************************************************************
- echo * Hi All, *
- echo * You have to follow below steps to apply Group Policy settings using UI mode:- *
- echo * *
- echo * 1. To setup lockout policy and to hide last user login name from login screen:- *
- echo * *
- echo * Click on Start > Run > type gpedit.msc and press enter *
- echo * Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy *
- echo * *
- echo * Account lockout duration 10 *
- echo * Account lockout threshold 03 *
- echo * Reset account lockout counter after 10 *
- echo * *
- echo * *
- echo * *
- echo * 2. To wallpaper control policy:- *
- echo * *
- echo * Click on Start > Run > type gpedit.msc and press enter *
- echo * Go to Local Computer Policy > User Configuration > Administrative Templates > Desktop *
- echo * In the right pane, select Desktop wallpaper and enable it *
- echo * Indicate the full path for your custom/default wallpaper *
- echo * Centre and stretch the image as required and press on the OK button to validate. *
- echo * *
- echo * *
- echo * *
- echo * 3. To lock system after 300 seconds:- *
- echo * *
- echo * ? FOR WINDOWS 7:- *
- echo * *
- echo * Click on Start > Run > type gpedit.msc and press enter *
- echo * Go to Local Computer Policy > User Configuration > Administrative Templates > control Panel > personalization *
- echo * *
- echo * Enable screen saver Enabled *
- echo * Password protect the screen saver Enabled *
- echo * Screen saver timeout Enabled (Time should be 300 seconds) *
- echo * Force specific screen saver Enabled *
- echo * *
- echo * *
- echo * ? FOR WINDOWS 8/8.1/10:- *
- echo * *
- echo * Click on Start > Run > type gpedit.msc and press enter *
- echo * Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options *
- echo * In the right pane, select interactive logon machine inactivity limit and input 300 Seconds then Apply and OK. *
- echo * *
- echo * *
- echo * *
- echo * 4. To change in Password Policy:- *
- echo * Click on Start > Run > type gpedit.msc and press enter *
- echo * Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies>Account Policies>Password Policy *
- echo * Make changes In the right pane as below:- *
- echo * *
- echo * Enforce Password History 0 Password Remembered *
- echo * Maximum Password Age 60 Days *
- echo * Minimum Password Age 2 Days *
- echo * Minimum Password Length 8 Characters *
- echo * Password Complexity Enabled *
- echo * Store Password Using Reversible encryption Disabled *
- echo **************************************************************************************************************************************************
- @pause
- (
- @echo PRESS ANY KEY TO APPLY ABOVE POLICIES
- )
- @cls
- color 0A
- :Trick_to_Update_Policy
- rmdir /s /q "c:/temp"
- mkdir "c:/temp/temp"
- cd c:/temp/temp
- echo [Unicode] > secconfig.cfg
- echo Unicode=yes >>secconfig.cfg
- echo [System Access] >>secconfig.cfg
- echo MinimumPasswordAge = 2 >>secconfig.cfg
- echo MaximumPasswordAge = 60 >>secconfig.cfg
- echo MinimumPasswordLength = 8 >>secconfig.cfg
- echo PasswordComplexity = 1 >>secconfig.cfg
- echo PasswordHistorySize = 0 >>secconfig.cfg
- echo LockoutBadCount = 3 >>secconfig.cfg
- echo ResetLockoutCount = 10 >>secconfig.cfg
- echo LockoutDuration = 10 >>secconfig.cfg
- echo RequireLogonToChangePassword = 0 >>secconfig.cfg
- echo ForceLogoffWhenHourExpire = 0 >>secconfig.cfg
- echo NewAdministratorName = "Administrator" >>secconfig.cfg
- echo NewGuestName = "Guest" >>secconfig.cfg
- echo ClearTextPassword = 0 >>secconfig.cfg
- echo LSAAnonymousNameLookup = 0 >>secconfig.cfg
- echo EnableAdminAccount = 1 >>secconfig.cfg
- echo EnableGuestAccount = 0 >>secconfig.cfg
- echo [Event Audit] >>secconfig.cfg
- echo AuditSystemEvents = 0 >>secconfig.cfg
- echo AuditLogonEvents = 0 >>secconfig.cfg
- echo AuditObjectAccess = 0 >>secconfig.cfg
- echo AuditPrivilegeUse = 0 >>secconfig.cfg
- echo AuditPolicyChange = 0 >>secconfig.cfg
- echo AuditAccountManage = 0 >>secconfig.cfg
- echo AuditProcessTracking = 0 >>secconfig.cfg
- echo AuditDSAccess = 0 >>secconfig.cfg
- echo AuditAccountLogon = 0 >>secconfig.cfg
- echo [Registry Values] >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10" >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0" >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 >>secconfig.cfg
- echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 >>secconfig.cfg
- echo MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 >>secconfig.cfg
- echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 >>secconfig.cfg
- echo [Privilege Rights] >>secconfig.cfg
- echo SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 >>secconfig.cfg
- echo SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551 >>secconfig.cfg
- echo SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,SQLServer2005MSSQLUser$E2E-SER-004$SQLEXPRESS,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 >>secconfig.cfg
- echo SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 >>secconfig.cfg
- echo SeCreatePagefilePrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeDebugPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeRemoteShutdownPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeAuditPrivilege = *S-1-5-19,*S-1-5-20 >>secconfig.cfg
- echo SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,SQLServer2005MSSQLUser$E2E-SER-004$SQLEXPRESS,*S-1-5-32-544 >>secconfig.cfg
- echo SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeLoadDriverPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeBatchLogonRight = SQLServer2005MSSQLUser$E2E-SER-004$SQLEXPRESS,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559 >>secconfig.cfg
- echo SeServiceLogonRight = SQLServer2005SQLBrowserUser$E2E-SER-004,SQLServer2005MSSQLUser$E2E-SER-004$SQLEXPRESS,*S-1-5-80-0 >>secconfig.cfg
- echo SeInteractiveLogonRight = Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 >>secconfig.cfg
- echo SeSecurityPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeSystemEnvironmentPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeProfileSingleProcessPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 >>secconfig.cfg
- echo SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20,SQLServer2005MSSQLUser$E2E-SER-004$SQLEXPRESS >>secconfig.cfg
- echo SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551 >>secconfig.cfg
- echo SeShutdownPrivilege = E2ESS4,*S-1-5-32-544,*S-1-5-32-551 >>secconfig.cfg
- echo SeTakeOwnershipPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeDenyNetworkLogonRight = Guest >>secconfig.cfg
- echo SeDenyInteractiveLogonRight = Guest >>secconfig.cfg
- echo SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545 >>secconfig.cfg
- echo SeManageVolumePrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 >>secconfig.cfg
- echo SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 >>secconfig.cfg
- echo SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 >>secconfig.cfg
- echo SeIncreaseWorkingSetPrivilege = *S-1-5-32-545 >>secconfig.cfg
- echo SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545 >>secconfig.cfg
- echo SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 >>secconfig.cfg
- echo [Version] >>secconfig.cfg
- echo signature="$CHICAGO$" >>secconfig.cfg
- echo Revision=1 >>secconfig.cfg
- secedit.exe /configure /db %windir%\securitynew.sdb /cfg C:\temp\temp\secconfig.cfg /areas SECURITYPOLICY
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v dontdisplaylastusername /t REG_Dword /d 1 /f
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_DWORD /d 1 /f
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_DWORD /d 1 /f
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d C:\Windows\Web\Wallpaper\Nature\img1.jpg /f
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 4 /f
- gpupdate /force
- rmdir /s /q "c:/temp/temp"
- ECHO *************************
- ECHO PRESS ANY KEY TO EXIT
- ECHo *************************
- @pause
- Exit
Add Comment
Please, Sign In to add comment