diff options
author | John McCrae <jmccrae@chef.io> | 2021-05-06 09:46:17 -0700 |
---|---|---|
committer | Tim Smith <tsmith84@gmail.com> | 2021-09-17 08:13:45 -0700 |
commit | 83f2c378281525fe97a88c576307146102892f5b (patch) | |
tree | 246f73671348c119088d486d744244c2d9470a64 | |
parent | bcf517dfa13bd06c088dc42b5ebd26c42785f30c (diff) | |
download | chef-83f2c378281525fe97a88c576307146102892f5b.tar.gz |
'LockoutThreshold' is actually implemented by Windows as LockoutBadCount. What shows up in an Account Lockout Policy is Account Lockout Threshold but what gets written to disk when you change it is LockoutBadCount. That item is available in the list of existing policy objects. I updated the code to add AuditPolicyChange; that was mssing. I also added ResetLockoutCount which pairs with the Lockout Threshold so users aren't permanently locked out. The last item, LockoutObservationWindow, does not appear in a Security Policy as exported by secedit but you can get to it via PowerShell. It is part of a customized fine grain password policy. Read more here: http://woshub.com/fine-grained-password-policy-in-windows-server-2012-r2/
Signed-off-by: John McCrae <jmccrae@chef.io>
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb index 1b0a285197..c2de8c615d 100644 --- a/lib/chef/resource/windows_security_policy.rb +++ b/lib/chef/resource/windows_security_policy.rb @@ -35,6 +35,8 @@ class Chef PasswordHistorySize LockoutBadCount ResetLockoutCount + AuditPolicyChange + LockoutDuration RequireLogonToChangePassword ForceLogoffWhenHourExpire NewAdministratorName |