Use Windows PowerShell to Configure Domain Password Policy

Doctor Scripto

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to configure the default domain password policy. Hey, Scripting Guy! Question Hey, Scripting Guy! I need some help. I need to get the default domain password policy, but I do not want to mess around with the Group Policy MMC. Instead, I would like to have objects I can use, and then make some decisions based on what I find. Can you help? —JB Hey, Scripting Guy! Answer Hello JB, Microsoft Scripting Guy, Ed Wilson, is here. The good news is that the temperature today is only 80 degrees Fahrenheit. The bad news is that dew point is about 78, so the resultant relative humidity is about 92%. Oh well. It is wonderful weather for a nice cup of Darjeeling tea, a bit of local wildflower honey, and a slice of lemon. With some fresh locally grown mangos, I readily forget the high humidity. I have Stevie Ray Vaughn cranked up on my Zune, and I am checking the email sent to scripter@microsoft.com. JB, the good news for you is that the Active Directory module has all the tools you need to retrieve the default domain password policy, and even make changes to it. The first thing to do is to retrieve the default domain password policy. Luckily, all you need to do is to find the appropriate Windows PowerShell cmdlet.

Note  If you do not have the Active Directory module installed on your local computer, you can access any remote computer that has it installed, and open a remote Windows PowerShell session. When I don’t know a specific cmdlet name, I use the Get-Command cmdlet and search for it. To find my password cmdlets, I use the following command:

PS C:> gcm -Noun *password*

CommandType               Name                                             ModuleName            

———–                            —-                                                 ———-            

Cmdlet          Add-ADDomainControllerPasswordReplicationPolicy    activedirectory       

Cmdlet          Add-ADFineGrainedPasswordPolicySubject             activedirectory       

Cmdlet          Get-ADAccountResultantPasswordReplicationPolicy    activedirectory       

Cmdlet          Get-ADDefaultDomainPasswordPolicy                  activedirectory       

Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy    activedirectory       

Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy… activedirectory       

Cmdlet          Get-ADFineGrainedPasswordPolicy                    activedirectory       

Cmdlet          Get-ADFineGrainedPasswordPolicySubject             activedirectory       

Cmdlet          Get-ADUserResultantPasswordPolicy                  activedirectory       

Cmdlet          New-ADFineGrainedPasswordPolicy                    activedirectory       

Cmdlet          Remove-ADDomainControllerPasswordReplicationPolicy activedirectory       

Cmdlet          Remove-ADFineGrainedPasswordPolicy                 activedirectory       

Cmdlet          Remove-ADFineGrainedPasswordPolicySubject          activedirectory       

Cmdlet          Reset-ADServiceAccountPassword                     activedirectory       

Cmdlet          Reset-ComputerMachinePassword                      Microsoft.PowerShell…

Cmdlet          Set-ADAccountPassword                              activedirectory       

Cmdlet          Set-ADDefaultDomainPasswordPolicy                  activedirectory       

Cmdlet          Set-ADFineGrainedPasswordPolicy                    activedirectory        It does not take too much imagination to find the cmdlet I need. It is the Get-ADDefaultDomainPasswordPolicy cmdlet. It works, by default, against my local domain. Here is the command and the results:

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : False

DistinguishedName           : DC=NWTraders,DC=com

LockoutDuration             : 00:15:00

LockoutObservationWindow    : 00:15:00

LockoutThreshold            : 5

MaxPasswordAge              : 00:00:00

MinPasswordAge              : 00:00:00

MinPasswordLength           : 1

objectClass                 : {domainDNS}

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58

PasswordHistoryCount        : 0

ReversibleEncryptionEnabled : False As it turns out, there is some bad news…and some worse news. The bad news is that password complexity is not enabled. The worse news is that the minimum password length is 1. Can you say “double dude”!! Luckily, I can fix this.

Enable password complexity

As one might suspect, if the Get-ADDefaultDomainPasswordPolicy cmdlet retrieves the default domain password policy, the Set-ADDefaultDomainPasswordPolicy cmdlet configures it. But the Get-ADDefaultDomainPasswordPolicy cmdlet was very easy to use, and unfortunately, the Set-ADDefaultDomainPasswordPolicy cmdlet is finicky. First of all, I need to specify the domain to work with in the –Identity parameter. Because the Get-ADDefaultDomainPasswordPolicy cmdlet automatically retrieves the current domain doesn’t mean that the Set-ADDefaultDomainPasswordPolicy cmdlet will automatically set the password policy on the current domain. In addition, even though the –ComplexityEnabled parameter may look like it is a switched parameter, it is not. It accepts a Boolean value. Therefore, I need to supply $true or $false to it. Remember, this is not a switched parameter—it is a normal parameter that accepts a Boolean value as an argument. Here is the syntax to enable password complexity on the NWTraders.com domain:

Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true -Identity nwtraders.com Nothing returns from this command, so I use the Get-ADDefaultDomainPasswordPolicy cmdlet to confirm the change. It immediately returns the following results:

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : True

DistinguishedName           : DC=NWTraders,DC=com

LockoutDuration             : 00:15:00

LockoutObservationWindow    : 00:15:00

LockoutThreshold            : 5

MaxPasswordAge              : 00:00:00

MinPasswordAge              : 00:00:00

MinPasswordLength           : 1

objectClass                 : {domainDNS}

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58

PasswordHistoryCount        : 0

ReversibleEncryptionEnabled : False Cool. Now I need to set the minimum password length. Here is the command I use to do that:

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 7 -Identity nwtraders.com Once again, I check the output:

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : True

DistinguishedName           : DC=NWTraders,DC=com

LockoutDuration             : 00:15:00

LockoutObservationWindow    : 00:15:00

LockoutThreshold            : 5

MaxPasswordAge              : 00:00:00

MinPasswordAge              : 00:00:00

MinPasswordLength           : 7

objectClass                 : {domainDNS}

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58

PasswordHistoryCount        : 0

ReversibleEncryptionEnabled : False Gro-oo-v-vy. Of course I can do all of this in a single command—and more. Here is an example of such a command (this is a single-line command that wraps in the blog format—no line breaks have been introduced).

Set-ADDefaultDomainPasswordPolicy -Identity Nwtraders.com -ComplexityEnabled $true -MinPasswordLength 7 -MinPasswordAge 1 -MaxPasswordAge 30 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3 And again, I can check my results:

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : True

DistinguishedName           : DC=NWTraders,DC=com

LockoutDuration             : 00:30:00

LockoutObservationWindow    : 00:30:00

LockoutThreshold            : 3

MaxPasswordAge              : 00:00:00.0000030

MinPasswordAge              : 00:00:00.0000001

MinPasswordLength           : 7

objectClass                 : {domainDNS}

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58

PasswordHistoryCount        : 0

ReversibleEncryptionEnabled : False JB, that is all there is to using Windows PowerShell to configure the default domain password policy. Active Directory Week will continue tomorrow when I will talk about more cool stuff. I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy 

0 comments

Discussion is closed.

Feedback usabilla icon