Related features:

Related Powershell Guides:

How to: Manage GPO-based password policies with PowerShell

The PowerShell scripts given below can be used to manage the default password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for hybrid Active Directory. The following is a comparison between group policy object (GPO)-based domain password policy settings available in Windows Active Directory and ADSelfService Plus:

With PowerShell
  • Modify the default password policy for an Active Directory domain
    Set-ADDefaultDomainPasswordPolicy
    [-WhatIf]
    [-Confirm]
    [-AuthType <ADAuthType>]
    [-ComplexityEnabled <Boolean>]
    [-Credential <PSCredential>]
    [-Identity] <ADDefaultDomainPasswordPolicy>
    [-LockoutDuration <TimeSpan>]
    [-LockoutObservationWindow <TimeSpan>]
    [-LockoutThreshold <Int32>]
    [-MaxPasswordAge <TimeSpan>]
    [-MinPasswordAge <TimeSpan>]
    [-MinPasswordLength <Int32>]
    [-PassThru]
    [-PasswordHistoryCount <Int32>]
    [-ReversibleEncryptionEnabled <Boolean>]
    [-Server <String>]
    [<CommonParameters>]
  • Fetch the default password policy for an Active Directory domain.
    Get-ADDefaultDomainPasswordPolicy
    [-AuthType <ADAuthType>]
    [-Credential <PSCredential>]
    [[-Current] <ADCurrentDomainType>]
    [-Server <String>]
    [<CommonParameters>]
With ADSelfService Plus
  • Configure a custom password policy via the Password Policy Enforcer
    • Go to ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      Configuring a custom password policy using ADSelfService Plus
    • Ban leaked or weak passwords, keyboard sequences, and palindromes.
    • Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
    • Allow users to use Unicode characters in their passwords.
    • Display a password strength meter when users change or reset their AD passwords.
    • Enforce passphrases.
    • Click Save.

What are the limitations of domain password policies?

  • It does not offer password policy controls like banning dictionary or weak passwords, keyboard sequences, palindromes, etc.
  • It cannot be used in hybrid Active Directory environments.
  • Domain password policy cannot be applied to users based on their OU or group memberships.
  • No support to ensure users don't use breached passwords during password change and password reset.
  • It cannot display the password requirements to end users during change.

Advantages of ADSelfService Plus:

  • ADSelfService Plus' offers options to block weak passwords, dictionary words, palindromes, and keyboard sequences to ensure strong user passwords.
  • Display the password requirements to end users during password change or reset operations.
  • Enforce custom password policy settings for password changes through the Windows logon (Ctrl+Alt+Del) screen and even during ADUC password resets.
  • ADSelfService Plus ensures users don't use breached password during password change and password reset by integration with Have I Been Pwned? service.

Enforcing password policy in Active Directory using PowerShell

Step 1: View the current password policy

Check the current domain password policy settings using the script below. This displays the password length, complexity, and lockout settings.

Get-ADDefaultDomainPasswordPolicy

Step 2: Modify the password policy

Set a strong password policy by running the script below. This policy will require a minimum of 12 characters, enforce complex passwords, and lock accounts after five failed attempts.

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5

Step 3: Apply fine-grained password policies

For different policies based on user roles, run the script below. This enforces stricter rules for admin accounts.

New-ADFineGrainedPasswordPolicy -Name "AdminsPolicy" -Precedence 1 -MinPasswordLength 15 -ComplexityEnabled $true -LockoutThreshold 3

Step 4: Assign policy to specific users or groups

Apply the policy to a specific group. This ensures that only admins follow this stricter policy.

Add-ADFineGrainedPasswordPolicySubject -Identity "AdminsPolicy" -Subjects "Domain Admins"

FAQs

1. How do I check the current password policy in AD?

Check the current password policy by running the script below. This returns the domain's default password settings.

Get-ADDefaultDomainPasswordPolicy

2. How do I enforce a stronger password policy?

Run the script below to enforce a stronger password policy. This sets 12-character complex passwords with lockout after five failed attempts.

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5

3. Can I apply different password policies to different users?

Yes, this can be done using fine-grained password policies (FGPP).

Custom password policies to nip cyberattacks like brute-force in the bud!

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link