This function reads policy information from a domain header: Get-ADDomainAccountPolicies<\/a>.<\/p>\n Here’s how to get the Account Lockout Policy settings. First, connect to the RootDSE<\/a> of a domain controller:<\/p>\n $RootDSE = Get-ADRootDSE -Server $Domain<\/p>\n Use Get-ADObject<\/b> to retrieve properties from the domain naming context (defaultNamingContext<\/b>):<\/p>\n $AccountPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property lockoutDuration, lockoutObservationWindow, lockoutThreshold <\/p>\n Next, produce a customized output representing the policy.<\/p>\n $AccountPolicy | Select @{n="PolicyType";e={"Account Lockout"}},`<\/p>\n DistinguishedName,`<\/p>\n @{n="lockoutDuration";e={"$($_.lockoutDuration \/ -600000000) minutes"}},`<\/p>\n @{n="lockoutObservationWindow";e={"$($_.lockoutObservationWindow \/ -600000000) minutes"}},`<\/p>\n lockoutThreshold | Format-List<\/p>\n Select-Object<\/b> displays some standard properties: DistinguishedName<\/b> and LockoutThreshold<\/b>. It also displays some custom properties constructed with the aid of two hash tables. Let’s look at the format of the lockout duration value: <\/p>\n @{n="lockoutDuration";e={"$($_.lockoutDuration \/ -600000000) minutes"}}<\/p>\n What’s the expression doing? The LockoutDuration<\/b> property of the current object $_<\/b> is a negative 64-bit time value interval expressed in nanoseconds. This is divided by -600000000 to give a positive value in minutes. This calculation is performed as part of a subexpression, which is recognized by this notation: ‘$( )’<\/b>. The code in brackets is calculated first. The returned value is then added to a string where minutes<\/b> is appended and stored as the value associated with e<\/b>.<\/p>\n We now have a hash table with two elements, n<\/b> and e<\/b>, that Select-Object<\/b> recognizes and formats into a display property to the console screen. The previous process also applies to the LockoutObservationWindow<\/b> value.<\/p>\n Here’s some sample output:<\/p>\n Again, use Get-ADObject<\/b> to retrieve properties from the domain naming context:<\/p>\n $PasswordPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property minPwdAge, maxPwdAge, minPwdLength, pwdHistoryLength, pwdProperties <\/p>\n Next, produce a customized output that represents the policy:<\/p>\n $PasswordPolicy | Select @{n="PolicyType";e={"Password"}},`<\/p>\n DistinguishedName,`<\/p>\n @{n="minPwdAge";e={"$($_.minPwdAge \/ -864000000000) days"}},`<\/p>\n @{n="maxPwdAge";e={"$($_.maxPwdAge \/ -864000000000) days"}},`<\/p>\n minPwdLength,`<\/p>\n pwdHistoryLength,`<\/p>\n @{n="pwdProperties";e={Switch ($_.pwdProperties) {<\/p>\n 0 {"Passwords can be simple and the administrator account cannot be locked out"}<\/p>\n 1 {"Passwords must be complex and the administrator account cannot be locked out"}<\/p>\n 8 {"Passwords can be simple, and the administrator account can be locked out"}<\/p>\n 9 {"Passwords must be complex, and the administrator account can be locked out"}<\/p>\n Default {$_.pwdProperties}}}}<\/p>\n We’re doing similar stuff here with the hash tables, except that we calculate days, not minutes, from the negative nanosecond value.<\/p>\n For the last value returned, we’re taking $_.pwdProperties<\/b> and attempting to match it to a known value by using a Switch<\/b> statement. For example, if $_.pwdPropeties<\/b> is 8, then the value associated with e<\/b> will be "Passwords can be simple, and the administrator account can be locked out."<\/p>\n Here is a sample output:<\/p>\n Not the prettiest function, but certainly effective!<\/p>\n You can download the entire function from the Script Center Repository: Get-ADDomainAccountPolicies Function<\/a>.<\/p>\n ~Ian<\/p>\n Thank you, Ian, for once again sharing your time and knowledge.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft guest blogger and PFE, Ian Farr, talks about using Windows PowerShell to get account lockout and password policies. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back guest blogger, Ian Farr. Ian is a Microsoft PFE in the UK. Recently, I was asked how to retrieve a domain’s Account Lockout Policy and Password […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,56,472,3,198,45],"class_list":["post-2258","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-guest-blogger","tag-ian-farr","tag-scripting-guy","tag-users","tag-windows-powershell"],"acf":[],"blog_post_summary":" Summary: Microsoft guest blogger and PFE, Ian Farr, talks about using Windows PowerShell to get account lockout and password policies. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back guest blogger, Ian Farr. Ian is a Microsoft PFE in the UK. Recently, I was asked how to retrieve a domain’s Account Lockout Policy and Password […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2258"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2258\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Account Lockout Policy<\/b><\/h2>\n
\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-1-9-14-1.png\" "\\"Image")
<\/a><\/p>\nPassword Policy<\/b><\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-1-9-14-2.png\" "\\"Image")
<\/a><\/p>\n