How to: Manage GPO-based password policies with PowerShell
The PowerShell scripts given below can be used to manage the default password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for hybrid Active Directory. The following is a comparison between group policy object (GPO)-based domain password policy settings available in Windows Active Directory and ADSelfService Plus:
- Modify the default password policy for an Active Directory domain
Set-ADDefaultDomainPasswordPolicy [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-ComplexityEnabled <Boolean>] [-Credential <PSCredential>] [-Identity] <ADDefaultDomainPasswordPolicy> [-LockoutDuration <TimeSpan>] [-LockoutObservationWindow <TimeSpan>] [-LockoutThreshold <Int32>] [-MaxPasswordAge <TimeSpan>] [-MinPasswordAge <TimeSpan>] [-MinPasswordLength <Int32>] [-PassThru] [-PasswordHistoryCount <Int32>] [-ReversibleEncryptionEnabled <Boolean>] [-Server <String>] [<CommonParameters>]Copied
- Fetch the default password policy for an Active Directory domain.
Get-ADDefaultDomainPasswordPolicy [-AuthType <ADAuthType>] [-Credential <PSCredential>] [[-Current] <ADCurrentDomainType>] [-Server <String>] [<CommonParameters>]
With ADSelfService Plus
- Configure a custom password policy via the Password Policy Enforcer
- Go to ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Password Policy Enforcer.
- Enable Enforce Custom Password Policy.
- Ban leaked or weak passwords, keyboard sequences, and palindromes.
- Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
- Allow users to use Unicode characters in their passwords.
- Display a password strength meter when users change or reset their AD passwords.
- Enforce passphrases.
- Click Save.
What are the limitations of domain password policies?
- It does not offer password policy controls like banning dictionary or weak passwords, keyboard sequences, palindromes, etc.
- It cannot be used in hybrid Active Directory environments.
- Domain password policy cannot be applied to users based on their OU or group memberships.
- No support to ensure users don't use breached passwords during password change and password reset.
- It cannot display the password requirements to end users during change.
ADSelfService Plus' offers options to block weak passwords, dictionary words, palindromes, and keyboard sequences to ensure strong user passwords.
Display the password requirements to end users during password change or reset operations.
Enforce custom password policy settings for password changes through the Windows logon (Ctrl+Alt+Del) screen and even during ADUC password resets.
ADSelfService Plus ensures users don't use breached password during password change and password reset by integration with Have I Been Pwned? service.