Check the current domain password policy settings using the script below. This displays the password length, complexity, and lockout settings.
Get-ADDefaultDomainPasswordPolicySet a strong password policy by running the script below. This policy will require a minimum of 12 characters, enforce complex passwords, and lock accounts after five failed attempts.
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5For different policies based on user roles, run the script below. This enforces stricter rules for admin accounts.
New-ADFineGrainedPasswordPolicy -Name "AdminsPolicy" -Precedence 1 -MinPasswordLength 15 -ComplexityEnabled $true -LockoutThreshold 3Apply the policy to a specific group. This ensures that only admins follow this stricter policy.
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminsPolicy" -Subjects "Domain Admins"Check the current password policy by running the script below. This returns the domain's default password settings.
Get-ADDefaultDomainPasswordPolicyRun the script below to enforce a stronger password policy. This sets 12-character complex passwords with lockout after five failed attempts.
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5Yes, this can be done using fine-grained password policies (FGPP).
