Pricing  Get Quote

How to: Managing fine-grained password policies via PowerShell

Password policies are crucial for enforcing the creation of strong passwords and protecting users from credential-based attacks. The PowerShell scripts given below can be used to manage the fine-grained password policy and default domain policy for an Active Directory domain. ADSelfService Plus, the identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, provides advanced password policy settings that can be applied for both on-premises and cloud applications. The following is a comparison between the PowerShell scripts used to manage fine-grained password policy settings and ADSelfService Plus.

With PowerShell

    Run the following scripts in PowerShell:
  • Create a new Active Directory fine-grained password policy
       [-AuthType <ADAuthType>]
       [-ComplexityEnabled <Boolean>]
       [-Credential <PSCredential>]
       [-Description <String>]
       [-DisplayName <String>]
       [-Instance <ADFineGrainedPasswordPolicy>]
       [-LockoutDuration <TimeSpan>]
       [-LockoutObservationWindow <TimeSpan>]
       [-LockoutThreshold <Int32>]
       [-MaxPasswordAge <TimeSpan>]
       [-MinPasswordAge <TimeSpan>]
       [-MinPasswordLength <Int32>]
       [-Name] <String>
       [-OtherAttributes <Hashtable>]
       [-PasswordHistoryCount <Int32>]
       [-Precedence] <Int32>
       [-ProtectedFromAccidentalDeletion <Boolean>]
       [-ReversibleEncryptionEnabled <Boolean>]
       [-Server <String>]
    Click to copy entire script
  • Perform a search to retrieve one or multiple fine-grained password policies
       [-AuthType <ADAuthType>]
       [-Credential <PSCredential>]
       [-Identity] <ADFineGrainedPasswordPolicy>
       [-Properties <String[]>]
       [-Server <String>]
  • Perform a search to retrieve one or multiple default domain password policies
       [-AuthType <ADAuthType>]
       [-Credential <PSCredential>]
       [-Current <ADCurrentDomainType>]
       [-Server <String>]

With ADSelfService Plus:

  • Configure a custom password policy via the Password Policy Enforcer feature
    • Log into the ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
    • From the Restrict Characters tab:
      • Set the number of special and numeric characters that must be used.
      • Allow inclusion of unicode characters.
      • Mandate a minimum number of lowercase and uppercase alphabets.
      • Disallow numeric last characters.
    • In the Restrict Repetition tab, restrict use of strings from the username or old passwords, as well as consecutive repetition of the same character.
    • In the Restrict Pattern tab, ban dictionary words or weak passwords, keyboard patterns, and palindromes.
    • In the Restrict Length tab, specify the minimum and maximum password length.
    • Use the Password must satisfy at least _ of the above complexity requirements setting to enable users to choose the rules they want to adhere to without compromising on password security.
    • Use the Override all complexity rules if password length is at least _ setting to enforce passphrases instead of password complexity rules if the password length is above a set number.
    • Click Save.

Advantages of ADSelfService Plus over PowerShell:

  • ADSelfService Plus' advanced password policy settings bans dictionary and weak passwords, palindromes, keyboard patterns, and more.
  • ADSelfService Plus integrates with Have I Been Pwned? service to ensure that users don't use breached passwords during password change and password reset.
  • Display the password requirements to end users during password change or reset operations on the Ctrl+Alt+Del screen.
  • Enforce custom password policy settings even for password changes through the Windows logon (Ctrl+Alt+Del) screen and during ADUC password resets.
Salient features of ADSelfService Plus
  • Defence against cyberattacks:

    Ensures users don't use easily exploitable passwords like pass@123.

  • Improves IT security:

    Provides advanced multi-factor authentication techniques including biometrics and YubiKey.

  • Universal enforcement:

    Admins can enforce the custom password policies for both Active Directory and cloud applications.

  • OU and group-based enforcement:

    Admins can choose to enforce different password policies for users based on their OU and group memberships.

Defense against cyber-terrorism with custom password policy controls.

  Get 30-day free trial.

Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link