The cleanest way to do this without a domain is to use secedit to export and re-apply the local security policy as a template file.
On your “master” machine, export the policy with:
secedit /export /cfg C:\Temp\SecurityBaseline.inf
This creates a full local security policy template (user rights, security options, etc.). Copy that .inf file to the other machines, then apply it with:
secedit /configure /db C:\Windows\Security\Database\secedit.sdb /cfg C:\Temp\SecurityBaseline.inf /overwrite
``
This will enforce the same policy set consistently across each device. You can push this remotely using something simple like PsExec or a PowerShell loop if admin shares are enabled, instead of manually touching each machine.
Just be aware this only covers local security policy, not all settings (it won’t include things like advanced firewall rules or registry-based preferences), so you may still need a separate script for anything outside what secedit manages.