Powershell – Viewing and Setting the Default Domain Password Policy

Tags

Powershell

Oh goody ! Things got easier again thanks to Powershell 🙂

Do you need to fiddle with the Password Policy on the Domain?  Or do you deploy domains on a regular basis in the field?

If you have Server 2008R2 in the backend with new Active Directory Modules, this is a COMMAND now to edit it.

You can still use Group Policy but isn’t it nice to just “Call it up and Change it?”

With ActiveDirectory Modules you have two beautiful new commands.

 

Get-ADDefaultDomainPasswordPolicy and Set-ADDefaultDomainPasswordPolicy

 

Running “Get-ADDefaultDomainPasswordPolicy” (as it suggests) will show you the present configuration of the password policy, like so

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled                 : True
DistinguishedName                 : DC=Contoso,DC=local
LockoutDuration                     : 00:90:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold                   : 2
MaxPasswordAge                    : 10.00:00:00
MinPasswordAge                     : 5.00:00:00
MinPasswordLength                : 17
objectClass                             : {domainDNS}
objectGuid                             : 12345678-1234-1234-1234-123456789012
PasswordHistoryCount             : 140
ReversibleEncryptionEnabled    : True

 

As we can see from this Policy, we have a real BOFH on our hands running the network with a history of 150 different passwords, 17 Character minimums, Lockouts after 2 attempts!

Which is we he was fired and now your job is to fix this quickly since every user is outside your office with burning torches to take out the IT Department!

But since YOU know Powershell and have Server 2008R2 in the back end, this is not a problem.   Grab the configuration and store it…

$MESSYPOLICY=Get-ADDefaultDomainPasswordPolicy

…and then just set the options you want the way you want it

$MESSYPOLICY.ComplexityEnabled=True
$MESSYPOLICY.LockoutThreshold=10
$MESSYPOLICY.MinPasswordLength=8
$MESSYPOLICY.PasswordHistoryCount=10

Set-ADDefaultDomainPasswordPolicy $MESSYPOLICY

There! with just a few easy to type settings you have held back the masses!  A more reasonable lockout of 10 attempts, an 8 character password length and only 10 remembered!

Your life saved all thanks to Powershell and Server 2008R2 !

Sean
The Energized Tech

Advertisements