Domain policy

The domain policy controls the lockout and password policies. Understanding the default allows you to start thinking about options for fine grained password policies.

Get-ADObject  -Identity "dc=manticore,dc=org" -properties * |             
Format-List Name, *lockout*, *pwd*            
"`nAD provider"            
$props = "Name", "lockoutDuration", "lockOutObservationWindow", "lockoutThreshold",            
"maxPwdAge", "minPwdAge", "minPwdLength", "pwdHistoryLength", "pwdProperties"            
foreach ($prop in $props) {            
Get-ItemProperty -Path ad:\"dc=manticore,dc=org" -Name $prop | fl $prop            
Get-QADObject  -Identity "dc=manticore,dc=org" -IncludeAllproperties |             
Format-List Name, *lockout*, *password*            
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
$root = $dom.GetDirectoryEntry()            
$search = [System.DirectoryServices.DirectorySearcher]$root            
$search.Filter = "(objectclass=domainDNS)"            
$result = $search.FindOne()            
New-Object -TypeName PSObject -Property @{            
 Name = $($            
 lockoutDuration  = $($result.Properties.lockoutduration)            
 lockOutObservationWindow  = $($result.Properties.lockoutobservationwindow)            
 lockoutThreshold  = $($result.Properties.lockoutthreshold)            
 maxPwdAge = $($result.Properties.maxpwdage)            
 minPwdAge = $($result.Properties.minpwdage)            
 minPwdLength = $($result.Properties.minpwdlength)            
 pwdHistoryLength = $($result.Properties.pwdhistorylength)            
 pwdProperties  = $($result.Properties.pwdproperties)            

The cmdlets access the AD object for the domain.  The provider accesses the domain object and pulls the appropriate attributes

The script is the most interesting in that a search is conducted for the object in the domainDNS class. The required properties are then displayed.

Another alternative is supplied by the Microsoft cmdlets

PS> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : True
DistinguishedName           : DC=Manticore,DC=org
LockoutDuration             : 00:01:00
LockoutObservationWindow    : 00:01:00
LockoutThreshold            : 25
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : 1f230c52-a38d-4d47-8748-5f7fad04cf90
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s