Related features:

Related Powershell Guides:

Password security best practices in PowerShell

According to the 2019 Data Breach Investigation Report by Verizon, stolen credentials are the major cause of data breaches. To safeguard passwords from cyberattacks like brute-force or password spray, compliance regulations like NIST define password security rules to ensure password complexity.

A brief summary of 2019 NIST password security guidelines:

  • The minimum and maximum length of the passwords should be eight and sixty-four respectively.
  • Permit the usage of printable ASCII characters (including spaces), and Unicode characters.
  • Blacklist commonly used words, dictionary words, and breached passwords.
  • Restrict the use of repetitive or keyboard sequences.
  • Offer guidance, such as a password strength meter, to help users choose a strong password.
  • Enforce account lockouts after ten failed authentication attempts.
  • Enforce two-factor authentication (2FA) with advanced authentication techniques like Google or Microsoft Authenticator.
With PowerShell

It is highly complex to ensure NIST password compliance using PowerShell scripts.

With ADSelfService Plus
  • Configure a password policy with advanced settings via the Password Policy Enforcer
    • Go to ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      Steps to enable a custom password policy using ADSelfService Plus
    • Ban leaked or weak passwords, keyboard sequences, and palindromes.
    • Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
    • Allow users to use Unicode characters in their passwords.
    • Display a password strength meter when users change or reset their AD passwords.
    • Enforce passphrases.
    • Click Save.

Advantages of ADSelfService Plus:

  • Advanced password policy controls: Ensures users use strong passwords by banning breached passwords, keyboard sequences, and more.
  • Improves IT security: Supports advanced multi-factor authentication techniques like biometrics and YubiKey to secure self-service password resets and account unlocks.
  • Password policy for hybrid AD enforcement: Admins can enforce custom password policies for users' Active Directory and cloud accounts.
  • Compliance: Helps comply with CJIS, PCI DSS, and HIPAA.

Using PowerShell to secure Active Directory passwords

Step 1: Enable strong password policies

Modify AD policies to require complex passwords. The script below will require passwords to be at least 12 characters long.

Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true -MinPasswordLength 12

Step 2: Enforce regular password changes

Set expiration policies. This forces password changes every 90 days.

Set-ADDefaultDomainPasswordPolicy -MaxPasswordAge 90 -MinPasswordAge 1

Step 3: Lock accounts after failed attempts

Reduce the risk of brute-force attacks by locking accounts after five failed login attempts for 30 minutes.

Set-ADDefaultDomainPasswordPolicy -LockoutThreshold 5 -LockoutDuration 30

Step 4: Notify users about security policies

Send a reminder email about strong passwords to keep users aware of security measures.

Send-MailMessage -To "allusers@domain.com" -From "admin@yourdomain.com" -Subject "Password Security Update" -Body "Reminder: Ensure your passwords meet security standards."

FAQs

1. How do I enforce strong passwords in AD?

You can enforce strong passwords in AD by running the script below, which sets the minimum password length to 12:

Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true

2. How can I block weak passwords?

You can block weak passwords by running the script below, which sets the minimum password length to 14:

New-ADFineGrainedPasswordPolicy -Name "StrictPolicy" -MinPasswordLength 14

3. How do I detect insecure passwords?

Use password auditing tools like ManageEngine ADSelfService Plus or PowerShell scripts to detect insecure passwords.

Advanced password policy controls for hybrid AD environments.

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link