Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to check the lockout threshold for several domains.
Hey, Scripting Guy! I have several domains in our forest, and it seems that some weasel got in and changed the lockout threshold in some of the child domains. I know we should have turned on auditing, but we did not. What I need right now is a way to find all of the domains that have been changed.
—MB
Hello MB,
Microsoft Scripting Guy, Ed Wilson, is here. This weekend, there is a battle-of-the-bands going on in downtown Charlotte. I am thinking that the Scripting Wife and I may head down there. If we are lucky, they may play “Heard it Through the Pipeline” or “Highway to PowerShell.”
MB, luckily, it is fairly easy to accomplish what you want to do. Here is an example you can use that would work for any property you want to check.
Get the domains in the forest
The first thing to do is to get a list of all of the domains in the forest. To do this, I can use the Get-ADForest cmdlet, and select only the domains. After I do that, I walk through the domains, get the default domain password policy for each domain, and compare it to a reference policy. When I have the comparison, I create a custom object for each domain policy that does not match. Here is how I go about it:
Import-Module activedirectory
$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com
Foreach ($domain in (Get-ADForest).domains)
I like to import the Active Directory module directly because it is a bit faster than doing a lookup and finding the module. Besides, I know that I am going to be using the Active Directory module, so it certainly does not hurt to import it.
Now I read the default domain password policy that I know is correct. I store this in a variable I call $Default, and then I get my collection of domains.
Check each domain
Now I need to get the default password policy for each domain in my collection of domains. I then use the Compare-Object cmdlet to compare the default policy with what I retrieved from the current domain. I am only comparing the LockOutThreshold. Here is the code that does this:
$p = Get-ADDefaultDomainPasswordPolicy -Identity $domain
$diff = Compare-Object -ReferenceObject $default -DifferenceObject `
$p -Property lockoutthreshold -PassThru
Because I use the –Passthru parameter, the difference objects return to the $diff variable I specified. I now want to walk through each of the objects stored in the $diff variable and look for a side indicator that is ‘<=’. This will mean that there is a difference between the reference object and the object I am comparing. When I find this difference, I grab the domain name and the lockout threshold and create a custom object. This code is shown here:
Foreach ($d in $diff)
{if($d.sideindicator -eq '<=')
{[pscustomobject]@{
'DomainName' = $d.distinguishedname ;
'LockOutThreshold' = $d.LockoutThreshold}}}}
The complete script appears here:
Import-Module activedirectory
$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com
Foreach ($domain in (Get-ADForest).domains)
{
$p = Get-ADDefaultDomainPasswordPolicy -Identity $domain
$diff = Compare-Object -ReferenceObject $default -DifferenceObject `
$p -Property lockoutthreshold -PassThru
Foreach ($d in $diff)
{if($d.sideindicator -eq '<=')
{[pscustomobject]@{
'DomainName' = $d.distinguishedname ;
'LockOutThreshold' = $d.LockoutThreshold}}}}
MB, that is all there is to using Windows PowerShell to check Active Directory domain password policies. Active Directory Week will continue tomorrow when I will talk about more cool stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy