Pricing  Get Quote
 
 

How to: Managing fine-grained password policies via PowerShell

Password policies are crucial for enforcing the creation of strong passwords and protecting users from credential-based attacks. The PowerShell scripts given below can be used to manage the fine-grained password policy and default domain policy for an Active Directory domain. ADSelfService Plus, the identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, provides advanced password policy settings that can be applied for both on-premises and cloud applications. The following is a comparison between the PowerShell scripts used to manage fine-grained password policy settings and ADSelfService Plus.

With PowerShell

    Run the following scripts in PowerShell:
  • Create a new Active Directory fine-grained password policy 
    	New-ADFineGrainedPasswordPolicy
   [-WhatIf]
   [-Confirm]
   [-AuthType <ADAuthType>]
   [-ComplexityEnabled <Boolean>]
   [-Credential <PSCredential>]
   [-Description <String>]
   [-DisplayName <String>]
   [-Instance <ADFineGrainedPasswordPolicy>]
   [-LockoutDuration <TimeSpan>]
   [-LockoutObservationWindow <TimeSpan>]
   [-LockoutThreshold <Int32>]
   [-MaxPasswordAge <TimeSpan>]
   [-MinPasswordAge <TimeSpan>]
   [-MinPasswordLength <Int32>]
   [-Name] <String>
   [-OtherAttributes <Hashtable>]
   [-PassThru]
   [-PasswordHistoryCount <Int32>]
   [-Precedence] <Int32>
   [-ProtectedFromAccidentalDeletion <Boolean>]
   [-ReversibleEncryptionEnabled <Boolean>]
   [-Server <String>]
   [<CommonParameters>]
     Copied
    Click to copy entire script
  • Perform a search to retrieve one or multiple fine-grained password policies 
    Get-ADFineGrainedPasswordPolicy
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADFineGrainedPasswordPolicy>
   [-Properties <String[]>]
   [-Server <String>]
   [<CommonParameters>]
  • Perform a search to retrieve one or multiple default domain password policies 
    Get-ADDefaultDomainPasswordPolicy
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Current <ADCurrentDomainType>]
   [-Server <String>]
   [<CommonParameters>]

With ADSelfService Plus:

  • Configure a custom password policy via the Password Policy Enforcer feature
    • Log into the ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      Steps to enable a custom password policy using ADSelfService Plus
    • From the Restrict Characters tab:
      • Set the number of special and numeric characters that must be used.
      • Allow inclusion of unicode characters.
      • Mandate a minimum number of lowercase and uppercase alphabets.
      • Disallow numeric last characters.
    • In the Restrict Repetition tab, restrict use of strings from the username or old passwords, as well as consecutive repetition of the same character.
      Steps to restrict character repetition in passwords using ADSelfService Plus
    • In the Restrict Pattern tab, ban dictionary words or weak passwords, keyboard patterns, and palindromes.
      Steps to restrict common patterns in passwords using ADSelfService Plus
    • In the Restrict Length tab, specify the minimum and maximum password length.
      Steps to restrict password length using Password Policy Enforcer in ADSelfService Plus
    • Use the Password must satisfy at least _ of the above complexity requirements setting to enable users to choose the rules they want to adhere to without compromising on password security.
    • Use the Override all complexity rules if password length is at least _ setting to enforce passphrases instead of password complexity rules if the password length is above a set number.
    • Click Save.

Advantages of ADSelfService Plus over PowerShell:

  • ADSelfService Plus' advanced password policy settings bans dictionary and weak passwords, palindromes, keyboard patterns, and more.
  • ADSelfService Plus integrates with Have I Been Pwned? service to ensure that users don't use breached passwords during password change and password reset.
  • Display the password requirements to end users during password change or reset operations on the Ctrl+Alt+Del screen.
  • Enforce custom password policy settings even for password changes through the Windows logon (Ctrl+Alt+Del) screen and during ADUC password resets.
Salient features of ADSelfService Plus
  • Defence against cyberattacks:

    Ensures users don't use easily exploitable passwords like pass@123.

  • Improves IT security:

    Provides advanced multi-factor authentication techniques including biometrics and YubiKey.

  • Universal enforcement:

    Admins can enforce the custom password policies for both Active Directory and cloud applications.

  • OU and group-based enforcement:

    Admins can choose to enforce different password policies for users based on their OU and group memberships.

Defense against cyber-terrorism with custom password policy controls.

  Get 30-day free trial.

Related Resources

RELATED PRODUCTS

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link