How to: Managing fine-grained password policies via PowerShell
The PowerShell scripts given below can be used to manage the fine-grained password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for both on-premises and cloud applications. The following is a comparison between the PowerShell scripts used to manage fine-grained password policy settings and ADSelfService Plus:
With PowerShell
- Create a new Active Directory fine-grained password policy
New-ADFineGrainedPasswordPolicy [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-ComplexityEnabled <Boolean>] [-Credential <PSCredential>] [-Description <String>] [-DisplayName <String>] [-Instance <ADFineGrainedPasswordPolicy>] [-LockoutDuration <TimeSpan>] [-LockoutObservationWindow <TimeSpan>] [-LockoutThreshold <Int32>] [-MaxPasswordAge <TimeSpan>] [-MinPasswordAge <TimeSpan>] [-MinPasswordLength <Int32>] [-Name] <String> [-OtherAttributes <Hashtable>] [-PassThru] [-PasswordHistoryCount <Int32>] [-Precedence] <Int32> [-ProtectedFromAccidentalDeletion <Boolean>] [-ReversibleEncryptionEnabled <Boolean>] [-Server <String>] [<CommonParameters>]
Copied - Perform a search to retrieve one or multiple fine-grained password policies.
Get-ADFineGrainedPasswordPolicy [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADFineGrainedPasswordPolicy> [-Properties <String[]>] [-Server <String>] [<CommonParameters>]
With ADSelfService Plus
- Configure a custom password policy via the Password Policy Enforcer
- Go to ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Password Policy Enforcer.
- Enable Enforce Custom Password Policy.
- Ban dictionary or weak passwords, keyboard sequences, and palindromes.
- Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
- Allow users to use Unicode characters in their passwords.
- Display a password strength meter when users change or reset their AD passwords.
- Enforce passphrases instead of password complexity rules if the password length is above a set number.
- Click Save.
Advantages of ADSelfService Plus
- ADSelfService Plus' advanced password policy settings bans dictionary and weak passwords, palindromes, keyboard sequences, and more.
- ADSelfService Plus integrates with Have I Been Pwned? service to ensure that users don't use breached passwords during password change and password reset.
- Display the password requirements to end users during password change or reset operations on the Ctrl+Alt+Del screen.
- Enforce custom password policy settings even for password changes through the Windows logon (Ctrl+Alt+Del) screen and during ADUC password resets.
- Defence against cyberattacks:
Ensures users don't use easily exploitable passwords like pass@123.
- Improves IT security:
Provides advanced multi-factor authentication techniques including biometrics and YubiKey.
- Universal enforcement:
Admins can enforce the custom password policies for both Active Directory and cloud applications.
- OU and group-based enforcement:
Admins can choose to enforce different password policies for users based on their OU and group memberships.