{"id":5221,"date":"2015-07-01T00:01:00","date_gmt":"2015-07-01T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/07\/01\/use-windows-powershell-to-configure-domain-password-policy\/"},"modified":"2019-02-18T09:47:15","modified_gmt":"2019-02-18T16:47:15","slug":"use-windows-powershell-to-configure-domain-password-policy","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-windows-powershell-to-configure-domain-password-policy\/","title":{"rendered":"Use Windows PowerShell to Configure Domain Password Policy"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to configure the default domain password policy.<\/span>\n\"Hey, Hey, Scripting Guy! I need some help. I need to get the default domain password policy, but I do not want to mess around with the Group Policy MMC. Instead, I would like to have objects I can use, and then make some decisions based on what I find. Can you help?\n—JB\n\"Hey, Hello JB,\nMicrosoft Scripting Guy, Ed Wilson, is here. The good news is that the temperature today is only 80 degrees Fahrenheit. The bad news is that dew point is about 78, so the resultant relative humidity is about 92%. Oh well. It is wonderful weather for a nice cup of Darjeeling tea, a bit of local wildflower honey, and a slice of lemon. With some fresh locally grown mangos, I readily forget the high humidity. I have Stevie Ray Vaughn cranked up on my Zune, and I am checking the email sent to scripter@microsoft.com<\/a>.\nJB, the good news for you is that the Active Directory module has all the tools you need to retrieve the default domain password policy, and even make changes to it.\nThe first thing to do is to retrieve the default domain password policy. Luckily, all you need to do is to find the appropriate Windows PowerShell cmdlet.<\/p>\n

Note <\/b> If you do not have the Active Directory module installed on your local computer, you can access any remote computer that has it installed, and open a remote Windows PowerShell session.\nWhen I don’t know a specific cmdlet name, I use the Get-Command<\/b> cmdlet and search for it. To find my password cmdlets, I use the following command:<\/p>\n

PS C:> gcm -Noun *password*<\/p>\n

CommandType               Name                                             ModuleName            <\/p>\n

———–                            —-                                                 ———-            <\/p>\n

Cmdlet          Add-ADDomainControllerPasswordReplicationPolicy    activedirectory       <\/p>\n

Cmdlet          Add-ADFineGrainedPasswordPolicySubject             activedirectory       <\/p>\n

Cmdlet          Get-ADAccountResultantPasswordReplicationPolicy    activedirectory       <\/p>\n

Cmdlet          Get-ADDefaultDomainPasswordPolicy                  activedirectory       <\/p>\n

Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy    activedirectory       <\/p>\n

Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy… activedirectory       <\/p>\n

Cmdlet          Get-ADFineGrainedPasswordPolicy                    activedirectory       <\/p>\n

Cmdlet          Get-ADFineGrainedPasswordPolicySubject             activedirectory       <\/p>\n

Cmdlet          Get-ADUserResultantPasswordPolicy                  activedirectory       <\/p>\n

Cmdlet          New-ADFineGrainedPasswordPolicy                    activedirectory       <\/p>\n

Cmdlet          Remove-ADDomainControllerPasswordReplicationPolicy activedirectory       <\/p>\n

Cmdlet          Remove-ADFineGrainedPasswordPolicy                 activedirectory       <\/p>\n

Cmdlet          Remove-ADFineGrainedPasswordPolicySubject          activedirectory       <\/p>\n

Cmdlet          Reset-ADServiceAccountPassword                     activedirectory       <\/p>\n

Cmdlet          Reset-ComputerMachinePassword                      Microsoft.PowerShell…<\/p>\n

Cmdlet          Set-ADAccountPassword                              activedirectory       <\/p>\n

Cmdlet          Set-ADDefaultDomainPasswordPolicy                  activedirectory       <\/p>\n

Cmdlet          Set-ADFineGrainedPasswordPolicy                    activedirectory       \nIt does not take too much imagination to find the cmdlet I need. It is the <\/span>Get-ADDefaultDomainPasswordPolicy <\/b>cmdlet. It works, by default, against my local domain. Here is the command and the results:<\/span><\/p>\n

PS C:> Get-ADDefaultDomainPasswordPolicy<\/p>\n

ComplexityEnabled           : False<\/p>\n

DistinguishedName           : DC=NWTraders,DC=com<\/p>\n

LockoutDuration             : 00:15:00<\/p>\n

LockoutObservationWindow    : 00:15:00<\/p>\n

LockoutThreshold            : 5<\/p>\n

MaxPasswordAge              : 00:00:00<\/p>\n

MinPasswordAge              : 00:00:00<\/p>\n

MinPasswordLength           : 1<\/p>\n

objectClass                 : {domainDNS}<\/p>\n

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58<\/p>\n

PasswordHistoryCount        : 0<\/p>\n

ReversibleEncryptionEnabled : False\nAs it turns out, there is some bad news…and some worse news. The bad news is that password complexity is not enabled. The worse news is that the minimum password length is 1. Can you say “double dude”!!\nLuckily, I can fix this.<\/p>\n

Enable password complexity<\/h2>\n

As one might suspect, if the Get-ADDefaultDomainPasswordPolicy<\/b> cmdlet retrieves the default domain password policy, the Set-ADDefaultDomainPasswordPolicy<\/b> cmdlet configures it. But the Get-ADDefaultDomainPasswordPolicy<\/b> cmdlet was very easy to use, and unfortunately, the Set-ADDefaultDomainPasswordPolicy <\/b>cmdlet is finicky.\nFirst of all, I need to specify the domain to work with in the –Identity<\/b> parameter. Because the Get-ADDefaultDomainPasswordPolicy <\/b>cmdlet automatically retrieves the current domain doesn’t mean that the Set-ADDefaultDomainPasswordPolicy<\/b> cmdlet will automatically set the password policy on the current domain.\nIn addition, even though the –ComplexityEnabled<\/b> parameter may look like it is a switched parameter, it is not. It accepts a Boolean value. Therefore, I need to supply $true<\/b> or $false<\/b> to it. Remember, this is not a switched parameter—it is a normal parameter that accepts a Boolean value as an argument. Here is the syntax to enable password complexity on the NWTraders.com domain:<\/p>\n

Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true -Identity nwtraders.com\nNothing returns from this command, so I use the Get-ADDefaultDomainPasswordPolicy<\/b> cmdlet to confirm the change. It immediately returns the following results:<\/p>\n

PS C:> Get-ADDefaultDomainPasswordPolicy<\/p>\n

ComplexityEnabled           : True<\/span><\/p>\n

DistinguishedName           : DC=NWTraders,DC=com<\/p>\n

LockoutDuration             : 00:15:00<\/p>\n

LockoutObservationWindow    : 00:15:00<\/p>\n

LockoutThreshold            : 5<\/p>\n

MaxPasswordAge              : 00:00:00<\/p>\n

MinPasswordAge              : 00:00:00<\/p>\n

MinPasswordLength           : 1<\/p>\n

objectClass                 : {domainDNS}<\/p>\n

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58<\/p>\n

PasswordHistoryCount        : 0<\/p>\n

ReversibleEncryptionEnabled : False\nCool. Now I need to set the minimum password length. Here is the command I use to do that:<\/span><\/p>\n

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 7 -Identity nwtraders.com\nOnce again, I check the output:<\/p>\n

PS C:> Get-ADDefaultDomainPasswordPolicy<\/p>\n

ComplexityEnabled           : True<\/p>\n

DistinguishedName           : DC=NWTraders,DC=com<\/p>\n

LockoutDuration             : 00:15:00<\/p>\n

LockoutObservationWindow    : 00:15:00<\/p>\n

LockoutThreshold            : 5<\/p>\n

MaxPasswordAge              : 00:00:00<\/p>\n

MinPasswordAge              : 00:00:00<\/p>\n

MinPasswordLength           : 7<\/p>\n

objectClass                 : {domainDNS}<\/p>\n

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58<\/p>\n

PasswordHistoryCount        : 0<\/p>\n

ReversibleEncryptionEnabled : False\nGro-oo-v-vy.\nOf course I can do all of this in a single command—and more. Here is an example of such a command (this is a single-line command that wraps in the blog format—no line breaks have been introduced).<\/p>\n

Set-ADDefaultDomainPasswordPolicy -Identity Nwtraders.com -ComplexityEnabled $true -MinPasswordLength 7 -MinPasswordAge 1 -MaxPasswordAge 30 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3\nAnd again, I can check my results:<\/p>\n

PS C:> Get-ADDefaultDomainPasswordPolicy<\/p>\n

ComplexityEnabled           : True<\/p>\n

DistinguishedName           : DC=NWTraders,DC=com<\/p>\n

LockoutDuration             : 00:30:00<\/p>\n

LockoutObservationWindow    : 00:30:00<\/p>\n

LockoutThreshold            : 3<\/p>\n

MaxPasswordAge              : 00:00:00.0000030<\/p>\n

MinPasswordAge              : 00:00:00.0000001<\/p>\n

MinPasswordLength           : 7<\/p>\n

objectClass                 : {domainDNS}<\/p>\n

objectGuid                  : f8d7dfc5-37ef-4f0b-a106-c1de59439a58<\/p>\n

PasswordHistoryCount        : 0<\/p>\n

ReversibleEncryptionEnabled : False\nJB, that is all there is to using Windows PowerShell to configure the default domain password policy. Active Directory Week will continue tomorrow when I will talk about more cool stuff.\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to configure the default domain password policy.  Hey, Scripting Guy! I need some help. I need to get the default domain password policy, but I do not want to mess around with the Group Policy MMC. Instead, I would like to have objects I […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting"],"acf":[],"blog_post_summary":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to configure the default domain password policy.  Hey, Scripting Guy! I need some help. I need to get the default domain password policy, but I do not want to mess around with the Group Policy MMC. Instead, I would like to have objects I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/5221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=5221"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/5221\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=5221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=5221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=5221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}