Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to configure the default domain password policy.
Hey, Scripting Guy! I need some help. I need to get the default domain password policy, but I do not want to mess around with the Group Policy MMC. Instead, I would like to have objects I can use, and then make some decisions based on what I find. Can you help?
—JB
Hello JB,
Microsoft Scripting Guy, Ed Wilson, is here. The good news is that the temperature today is only 80 degrees Fahrenheit. The bad news is that dew point is about 78, so the resultant relative humidity is about 92%. Oh well. It is wonderful weather for a nice cup of Darjeeling tea, a bit of local wildflower honey, and a slice of lemon. With some fresh locally grown mangos, I readily forget the high humidity. I have Stevie Ray Vaughn cranked up on my Zune, and I am checking the email sent to scripter@microsoft.com.
JB, the good news for you is that the Active Directory module has all the tools you need to retrieve the default domain password policy, and even make changes to it.
The first thing to do is to retrieve the default domain password policy. Luckily, all you need to do is to find the appropriate Windows PowerShell cmdlet.
Note If you do not have the Active Directory module installed on your local computer, you can access any remote computer that has it installed, and open a remote Windows PowerShell session.
When I don’t know a specific cmdlet name, I use the Get-Command cmdlet and search for it. To find my password cmdlets, I use the following command:
PS C:\> gcm -Noun *password*
CommandType Name ModuleName
----------- ---- ----------
Cmdlet Add-ADDomainControllerPasswordReplicationPolicy activedirectory
Cmdlet Add-ADFineGrainedPasswordPolicySubject activedirectory
Cmdlet Get-ADAccountResultantPasswordReplicationPolicy activedirectory
Cmdlet Get-ADDefaultDomainPasswordPolicy activedirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy activedirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy... activedirectory
Cmdlet Get-ADFineGrainedPasswordPolicy activedirectory
Cmdlet Get-ADFineGrainedPasswordPolicySubject activedirectory
Cmdlet Get-ADUserResultantPasswordPolicy activedirectory
Cmdlet New-ADFineGrainedPasswordPolicy activedirectory
Cmdlet Remove-ADDomainControllerPasswordReplicationPolicy activedirectory
Cmdlet Remove-ADFineGrainedPasswordPolicy activedirectory
Cmdlet Remove-ADFineGrainedPasswordPolicySubject activedirectory
Cmdlet Reset-ADServiceAccountPassword activedirectory
Cmdlet Reset-ComputerMachinePassword Microsoft.PowerShell...
Cmdlet Set-ADAccountPassword activedirectory
Cmdlet Set-ADDefaultDomainPasswordPolicy activedirectory
Cmdlet Set-ADFineGrainedPasswordPolicy activedirectory
It does not take too much imagination to find the cmdlet I need. It is the Get-ADDefaultDomainPasswordPolicy cmdlet. It works, by default, against my local domain. Here is the command and the results:
PS C:\> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : False
DistinguishedName : DC=NWTraders,DC=com
LockoutDuration : 00:15:00
LockoutObservationWindow : 00:15:00
LockoutThreshold : 5
MaxPasswordAge : 00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 1
objectClass : {domainDNS}
objectGuid : f8d7dfc5-37ef-4f0b-a106-c1de59439a58
PasswordHistoryCount : 0
ReversibleEncryptionEnabled : False
As it turns out, there is some bad news...and some worse news. The bad news is that password complexity is not enabled. The worse news is that the minimum password length is 1. Can you say "double dude"!!
Luckily, I can fix this.
Enable password complexity
As one might suspect, if the Get-ADDefaultDomainPasswordPolicy cmdlet retrieves the default domain password policy, the Set-ADDefaultDomainPasswordPolicy cmdlet configures it. But the Get-ADDefaultDomainPasswordPolicy cmdlet was very easy to use, and unfortunately, the Set-ADDefaultDomainPasswordPolicy cmdlet is finicky.
First of all, I need to specify the domain to work with in the –Identity parameter. Because the Get-ADDefaultDomainPasswordPolicy cmdlet automatically retrieves the current domain doesn’t mean that the Set-ADDefaultDomainPasswordPolicy cmdlet will automatically set the password policy on the current domain.
In addition, even though the –ComplexityEnabled parameter may look like it is a switched parameter, it is not. It accepts a Boolean value. Therefore, I need to supply $true or $false to it. Remember, this is not a switched parameter—it is a normal parameter that accepts a Boolean value as an argument. Here is the syntax to enable password complexity on the NWTraders.com domain:
Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true -Identity nwtraders.com
Nothing returns from this command, so I use the Get-ADDefaultDomainPasswordPolicy cmdlet to confirm the change. It immediately returns the following results:
PS C:\> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : True
DistinguishedName : DC=NWTraders,DC=com
LockoutDuration : 00:15:00
LockoutObservationWindow : 00:15:00
LockoutThreshold : 5
MaxPasswordAge : 00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 1
objectClass : {domainDNS}
objectGuid : f8d7dfc5-37ef-4f0b-a106-c1de59439a58
PasswordHistoryCount : 0
ReversibleEncryptionEnabled : False
Cool. Now I need to set the minimum password length. Here is the command I use to do that:
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 7 -Identity nwtraders.com
Once again, I check the output:
PS C:\> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : True
DistinguishedName : DC=NWTraders,DC=com
LockoutDuration : 00:15:00
LockoutObservationWindow : 00:15:00
LockoutThreshold : 5
MaxPasswordAge : 00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : f8d7dfc5-37ef-4f0b-a106-c1de59439a58
PasswordHistoryCount : 0
ReversibleEncryptionEnabled : False
Gro-oo-v-vy.
Of course I can do all of this in a single command—and more. Here is an example of such a command (this is a single-line command that wraps in the blog format—no line breaks have been introduced).
Set-ADDefaultDomainPasswordPolicy -Identity Nwtraders.com -ComplexityEnabled $true -MinPasswordLength 7 -MinPasswordAge 1 -MaxPasswordAge 30 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3
And again, I can check my results:
PS C:\> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : True
DistinguishedName : DC=NWTraders,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 3
MaxPasswordAge : 00:00:00.0000030
MinPasswordAge : 00:00:00.0000001
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : f8d7dfc5-37ef-4f0b-a106-c1de59439a58
PasswordHistoryCount : 0
ReversibleEncryptionEnabled : False
JB, that is all there is to using Windows PowerShell to configure the default domain password policy. Active Directory Week will continue tomorrow when I will talk about more cool stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy