Pricing  Get Quote
 
 

How to: Manage GPO-based password policies with PowerShell

The PowerShell scripts given below can be used to manage the default password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for hybrid Active Directory. The following is a comparison between group policy object (GPO)-based domain password policy settings available in Windows Active Directory and ADSelfService Plus:

With PowerShell

  • Modify the default password policy for an Active Directory domain 
    Set-ADDefaultDomainPasswordPolicy
   [-WhatIf]
   [-Confirm]
   [-AuthType <ADAuthType>]
   [-ComplexityEnabled <Boolean>]
   [-Credential <PSCredential>]
   [-Identity] <ADDefaultDomainPasswordPolicy>
   [-LockoutDuration <TimeSpan>]
   [-LockoutObservationWindow <TimeSpan>]
   [-LockoutThreshold <Int32>]
   [-MaxPasswordAge <TimeSpan>]
   [-MinPasswordAge <TimeSpan>]
   [-MinPasswordLength <Int32>]
   [-PassThru]
   [-PasswordHistoryCount <Int32>]
   [-ReversibleEncryptionEnabled <Boolean>]
   [-Server <String>]
   [<CommonParameters>]
     Copied
    Click to copy entire script
  • Fetch the default password policy for an Active Directory domain. 
    Get-ADDefaultDomainPasswordPolicy
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [[-Current] <ADCurrentDomainType>]
   [-Server <String>]
   [<CommonParameters>]

With ADSelfService Plus

  • Configure a custom password policy via the Password Policy Enforcer
    • Go to ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      how-to-enforce-password-policy-in-active-directory-using-powershell-script-1
    • Ban leaked or weak passwords, keyboard sequences, and palindromes.
    • Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
    • Allow users to use Unicode characters in their passwords.
    • Display a password strength meter when users change or reset their AD passwords.
    • Enforce passphrases.
    • Click Save.

What are the limitations of domain password policies?

  • It does not offer password policy controls like banning dictionary or weak passwords, keyboard sequences, palindromes, etc.
  • It cannot be used in hybrid Active Directory environments.
  • Domain password policy cannot be applied to users based on their OU or group memberships.
  • No support to ensure users don't use breached passwords during password change and password reset.
  • It cannot display the password requirements to end users during change.
Advantages of ADSelfService Plus:

  • ADSelfService Plus' offers options to block weak passwords, dictionary words, palindromes, and keyboard sequences to ensure strong user passwords.

  • Display the password requirements to end users during password change or reset operations.

  • Enforce custom password policy settings for password changes through the Windows logon (Ctrl+Alt+Del) screen and even during ADUC password resets.

  • ADSelfService Plus ensures users don't use breached password during password change and password reset by integration with Have I Been Pwned? service.

Custom password policies to nip cyberattacks like brute-force in the bud!

  Get 30-day free trial.

Related Resources

RELATED PRODUCTS

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link