When I showcased DSC to our security team, I also built another wrapper of secedit.exe.
I took the same quick’n dirty approach as the audit policy DSC script from my previous post. Again, only a File and a Script DSC resources are involved in the configuration.
Note that there’s also a limitation in my code.
Secedit.exe can handle more than just the local security policy.
There are other areas it can cover: restricted group settings, user logon rights,…
To get the security baseline I first exported the local security policy to a file like this:
secedit.exe /export /Cfg C:\secpol.txt /areas SECURITYPOLICY
… and I copied/pasted the content of the resulting C:\secpol.txt into to Content property of my File resource.