Pricing  Get Quote
 
 

How to: Manage GPO-based password policies with PowerShell

The PowerShell scripts given below can be used to manage the default password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for hybrid Active Directory. The following is a comparison between group policy object (GPO)-based domain password policy settings available in Windows Active Directory and ADSelfService Plus:

With PowerShell

  • Modify the default password policy for an Active Directory domain
    Set-ADDefaultDomainPasswordPolicy
       [-WhatIf]
       [-Confirm]
       [-AuthType <ADAuthType>]
       [-ComplexityEnabled <Boolean>]
       [-Credential <PSCredential>]
       [-Identity] <ADDefaultDomainPasswordPolicy>
       [-LockoutDuration <TimeSpan>]
       [-LockoutObservationWindow <TimeSpan>]
       [-LockoutThreshold <Int32>]
       [-MaxPasswordAge <TimeSpan>]
       [-MinPasswordAge <TimeSpan>]
       [-MinPasswordLength <Int32>]
       [-PassThru]
       [-PasswordHistoryCount <Int32>]
       [-ReversibleEncryptionEnabled <Boolean>]
       [-Server <String>]
       [<CommonParameters>]
     Copied
    Click to copy entire script
  • Fetch the default password policy for an Active Directory domain.
    Get-ADDefaultDomainPasswordPolicy
       [-AuthType <ADAuthType>]
       [-Credential <PSCredential>]
       [[-Current] <ADCurrentDomainType>]
       [-Server <String>]
       [<CommonParameters>]

With ADSelfService Plus

  • Configure a custom password policy via the Password Policy Enforcer
    • Go to ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      how-to-enforce-password-policy-in-active-directory-using-powershell-script-1
    • Ban leaked or weak passwords, keyboard sequences, and palindromes.
    • Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
    • Allow users to use Unicode characters in their passwords.
    • Display a password strength meter when users change or reset their AD passwords.
    • Enforce passphrases.
    • Click Save.

What are the limitations of domain password policies?

  • It does not offer password policy controls like banning dictionary or weak passwords, keyboard sequences, palindromes, etc.
  • It cannot be used in hybrid Active Directory environments.
  • Domain password policy cannot be applied to users based on their OU or group memberships.
  • No support to ensure users don't use breached passwords during password change and password reset.
  • It cannot display the password requirements to end users during change.
Advantages of ADSelfService Plus:
  • ADSelfService Plus' offers options to block weak passwords, dictionary words, palindromes, and keyboard sequences to ensure strong user passwords.

  • Display the password requirements to end users during password change or reset operations.

  • Enforce custom password policy settings for password changes through the Windows logon (Ctrl+Alt+Del) screen and even during ADUC password resets.

  • ADSelfService Plus ensures users don't use breached password during password change and password reset by integration with Have I Been Pwned? service.

Custom password policies to nip cyberattacks like brute-force in the bud!

  Get 30-day free trial.
  • Embark on your script-free AD Self-service password management with ADSelfService Plus.
  •  
  • By clicking 'Start your free trial now', you agree to processing of personal data according to the Privacy Policy.
  • Thank you for downloading!

    Your download should begin automatically in 15 seconds. If not, click here to download manually.

    Thank you for downloading!

    Your download should begin automatically in 15 seconds. If not, click here to download manually.

Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link