July 2nd, 2015

Using PowerShell to Check Lockout Threshold for Domains

Doctor Scripto
Scripter

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to check the lockout threshold for several domains. Hey, Scripting Guy! Question Hey, Scripting Guy! I have several domains in our forest, and it seems that some weasel got in and changed the lockout threshold in some of the child domains. I know we should have turned on auditing, but we did not. What I need right now is a way to find all of the domains that have been changed. —MB Hey, Scripting Guy! Answer Hello MB, Microsoft Scripting Guy, Ed Wilson, is here. This weekend, there is a battle-of-the-bands going on in downtown Charlotte. I am thinking that the Scripting Wife and I may head down there. If we are lucky, they may play “Heard it Through the Pipeline” or “Highway to PowerShell.”  MB, luckily, it is fairly easy to accomplish what you want to do. Here is an example you can use that would work for any property you want to check.

Get the domains in the forest

The first thing to do is to get a list of all of the domains in the forest. To do this, I can use the Get-ADForest cmdlet, and select only the domains. After I do that, I walk through the domains, get the default domain password policy for each domain, and compare it to a reference policy. When I have the comparison, I create a custom object for each domain policy that does not match. Here is how I go about it:

Import-Module activedirectory

$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com

Foreach ($domain in (Get-ADForest).domains) I like to import the Active Directory module directly because it is a bit faster than doing a lookup and finding the module. Besides, I know that I am going to be using the Active Directory module, so it certainly does not hurt to import it. Now I read the default domain password policy that I know is correct. I store this in a variable I call $Default, and then I get my collection of domains.

Check each domain

Now I need to get the default password policy for each domain in my collection of domains. I then use the Compare-Object cmdlet to compare the default policy with what I retrieved from the current domain. I am only comparing the LockOutThreshold. Here is the code that does this:

$p = Get-ADDefaultDomainPasswordPolicy -Identity $domain

 $diff = Compare-Object -ReferenceObject $default -DifferenceObject `

  $p -Property lockoutthreshold -PassThru Because I use the –Passthru parameter, the difference objects return to the $diff variable I specified. I now want to walk through each of the objects stored in the $diff variable and look for a side indicator that is ‘<=’. This will mean that there is a difference between the reference object and the object I am comparing. When I find this difference, I grab the domain name and the lockout threshold and create a custom object. This code is shown here:

Foreach ($d in $diff)

     {if($d.sideindicator -eq ‘<=’)

      {[pscustomobject]@{

       ‘DomainName’ = $d.distinguishedname ;

       ‘LockOutThreshold’ = $d.LockoutThreshold}}}} The complete script appears here:

Import-Module activedirectory

$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com

Foreach ($domain in (Get-ADForest).domains)

{

 $p = Get-ADDefaultDomainPasswordPolicy -Identity $domain

 $diff = Compare-Object -ReferenceObject $default -DifferenceObject `

  $p -Property lockoutthreshold -PassThru

   Foreach ($d in $diff)

     {if($d.sideindicator -eq ‘<=’)

      {[pscustomobject]@{

       ‘DomainName’ = $d.distinguishedname ;

       ‘LockOutThreshold’ = $d.LockoutThreshold}}}} MB, that is all there is to using Windows PowerShell to check Active Directory domain password policies. Active Directory Week will continue tomorrow when I will talk about more cool stuff. I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.