How to List All Local Security Policy Settings in Batch Script
Local Security Policies, which include password requirements, account lockout rules, user rights, and detailed auditing settings, form the "Security Backbone" of a Windows system. While you can view these in the secpol.msc GUI, a professional administrator needs a way to "List" them all programmatically for quick auditing or record-keeping. By combining the secedit, auditpol, and net accounts tools, you can generate a complete snapshot of your machine's security posture.
This guide explains how to extract and display these detailed settings using a Batch script.
Why List All Security Policies?
- Security Compliance Audit: Providing a clear, text-based manifest of every security toggle for a standard workstation or server.
- Troubleshooting Access Issues: Identifying which "User Right" or "Account Lockout" policy is preventing a service from starting.
- Environment Baselining: Comparing the settings of a "Healthy" machine against one that is experiencing security-related failures.
Windows security is divided into several databases. To get a "Full List," your script must query three distinct areas: Account Policies, Security Templates, and Audit Policies.
Method 1: Listing Account Policies (Password/Lockout)
The net accounts command is the fastest way to list the basic password and lockout behaviors.
@echo off
echo [PROCESS] Retrieving Password and Account Lockout policies...
echo.
net accounts
pause
Method 2: Listing Detailed Security Templates (Secedit)
To see advanced settings like "Rename administrator account" or "User Rights Assignments," we use the secedit export tool to a temporary file.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required for secedit.
pause
exit /b 1
)
set "TMP_SEC=%TEMP%\security_dump_%RANDOM%.inf"
echo [PROCESS] Exporting detailed Security Templates...
secedit /export /cfg "%TMP_SEC%" >nul
if %errorlevel% neq 0 (
echo [ERROR] Security template export failed. Code: %errorlevel%
pause
exit /b 1
)
:: Display the results directly in the terminal
echo.
type "%TMP_SEC%"
:: Clean up
del "%TMP_SEC%" >nul 2>&1
pause
Method 3: Listing Audit Policies (Auditpol)
Detailed auditing (like "Audit File System" or "Audit Logon") is managed by a separate engine called auditpol.
@echo off
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required for auditpol.
pause
exit /b 1
)
echo [PROCESS] Retrieving Global Audit Policy Status...
echo.
:: This command lists every subcategory and its current status
auditpol /get /category:*
pause
Creating a Master Security Audit Report
This script combines all methods into a single, timestamped report file, perfect for administrative documentation.
@echo off
setlocal
echo ============================================================
echo Master Security Policy Extraction Tool
echo ============================================================
:: 0. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set "REPORT_DIR=%~dp0SecurityAudits"
if not exist "%REPORT_DIR%" mkdir "%REPORT_DIR%"
set "REPORT=%REPORT_DIR%\Security_Audit_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.txt"
echo [PROCESS] Generating report... Please wait...
echo.
:: 1. Header
echo --- SECURITY AUDIT REPORT for %COMPUTERNAME% --- > "%REPORT%"
echo Generated: %DATE% %TIME% >> "%REPORT%"
echo ================================================= >> "%REPORT%"
echo. >> "%REPORT%"
:: 2. Net Accounts
echo [1/3] Extracting account policies...
echo [SECTION 1] ACCOUNT AND PASSWORD POLICIES >> "%REPORT%"
echo ------------------------------------------------- >> "%REPORT%"
net accounts >> "%REPORT%" 2>&1
echo. >> "%REPORT%"
:: 3. Audit Policies
echo [2/3] Extracting audit policies...
echo [SECTION 2] AUDIT POLICY CONFIGURATION >> "%REPORT%"
echo ------------------------------------------------- >> "%REPORT%"
auditpol /get /category:* >> "%REPORT%" 2>&1
echo. >> "%REPORT%"
:: 4. Secedit (Advanced Policies)
echo [3/3] Extracting security templates...
echo [SECTION 3] ADVANCED SECURITY TEMPLATES >> "%REPORT%"
echo ------------------------------------------------- >> "%REPORT%"
set "T_INF=%TEMP%\sec_tmp_%RANDOM%.inf"
secedit /export /cfg "%T_INF%" >nul 2>&1
if %errorlevel% equ 0 (
type "%T_INF%" >> "%REPORT%"
) else (
echo [ERROR] secedit export failed. >> "%REPORT%"
)
del "%T_INF%" >nul 2>&1
:: 5. Results
echo.
echo [SUCCESS] Master report created:
echo %REPORT%
echo.
echo [TIP] Search for specific settings with:
echo findstr /i "MinimumPasswordLength" "%REPORT%"
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
Extracting advanced security templates and audit statuses requires Administrator privileges.
Wrong Way:
:: Running as a standard user
secedit /export ...
:: Result: Access Denied.
SID vs. Username
In the secedit section, you might see strings like *S-1-5-32-544 instead of "Administrators."
Advise your users that these are Security Identifiers (SIDs). They are the "True names" Windows uses for accounts. For example, *S-1-5-32-544 always refers to the local Administrators group regardless of what it has been renamed to.
Best Practices for Policy Auditing
- Search for Specifics: Use
findstron your report to find high-risk settings (e.g.,findstr /i "MinimumPasswordLength" audit.txt). - Verify Domain GPOs: If your report shows one thing but the GUI shows another, remember that Domain Group Policies overwrite local settings. Use
gpresult /rto see which GPOs are active. - Archive Regularly: Keep a folder of these weekly reports to track how your security posture changes over time.
Always check your "Security Event Log" size while running these reports. If you find your audit policies are set to "Success/Failure" but your logs are empty, the log file might be full.
Conclusion
Listing all local security policy settings via Batch script provides a level of visibility and control that is essential for professional Windows administration. By orchestrating multiple system utilities to pull data from every corner of the security database, you can create a comprehensive, automated audit trail that ensures your infrastructure is compliant and secure. This professional approach to system monitoring transforms complex security settings into clear, actionable reports, allowing you to maintain a robust defense posture across your entire workstation and server fleet.