SID-500

Home » PowerShell » PowerShell: Configuring Fine Grained Password Policies (PSO)

PowerShell: Configuring Fine Grained Password Policies (PSO)

Since Windows Server 2008, Domain Administrators are able to configure password polices per user and per group. This article shows how to set up password policies (Password Setting Objects) with PowerShell.

Prerequisites

Make sure your domain is running Domain Mode 2008 or higher. All Domain Controllers must run Windows Server 2008 or higher and the Domain Mode must be set to Windows Server 2008. For checking open PowerShell and run

Get-ADDomain | Select-Object Domainmode

Unbenannt.JPG

To change the domain mode, run Set-ADDomainMode. Don’t worry about the domain name. We get the name from the environment variable. Example (Windows Server 2016 Domain Mode):

Set-ADDomainMode -Identity $env:userdnsdomain -DomainMode Windows2016Domain

Unbenannt.PNG

Introduction

The Default Domain Policy

Sure you know the purpose of the default password policy which is part of the the Default Domain Policy:

Get-ADDefaultDomainPasswordPolicy

Unbenannt.JPG

This policy is mandatory for all Active Directory Users. Let’s configure new policies for particular users and/or groups.

The Active Directory Administrative Center (dsac.exe)

First of all: Of course, you can configure password polices by using the graphical interface. Run dsac to open the Active Directory Administrative Center. Navigate to System – Password Settings Container and click on New. Here you can configure your Password Settings using the graphical interface.

Unbenannt.PNG

But in this article it’s all about PowerShell. 😉 Real men don’t click.

Configuring Fine Grained Password Polices with PowerShell

Suppose it’s the goal to configure a more restrictive policy for the members of the HR group. We want to set the minimum password length to 10 characters. (default: 7). To do so we can use the New-ADFineGrainedPasswordpolicy cmdlet.

New-ADFineGrainedPasswordPolicy -Name "HR_length_10" -MinPasswordLength 10 -Precedence 1

Unbenannt.PNG

Pay attention to the mandatory parameter precedence. If multiple policies are configured, then the policy with the lowest precedence is used. Which means: The lower the number, the higher the precedence. More about it later.

Adding Fine Grained Password Policies to users or groups

Now, the previous configured password object must be assigned to the HR group.

Add-ADFineGrainedPasswordPolicySubject "HR_length_10" -Subjects "HR"

Unbenannt.PNG

Checking the configuration

Now we are going to do some checks.

Get-ADFineGrainedPasswordPolicy

Let’s see what we have configured.

Get-ADFineGrainedPasswordPolicy "HR_length_10"

Unbenannt.PNG

Get-ADGroup

Get-ADGroup "HR" -properties * | Select-Object msDS-PSOApplied

Unbenannt.PNG

That looks good. The policy is assigned to the HR group.

Playing with Precedence Orders (msDS-ResultantPSO)

As mentioned, we can use precedence orders. The lower the number, the higher the precedence. Let’s configure another PSO for the HR group and set the precedence to 10 and configure a password length of 20.

New-ADFineGrainedPasswordPolicy -Name "HR_length_20" -MinPasswordLength 20 -Precedence 10
Add-ADFineGrainedPasswordPolicySubject "HR_length_20" -Subjects "HR"

Now we have configured 2 password policies. Both are assigned to HR.

Unbenannt.PNG

Which of them is used? Remember, Petra is a member of the HR Group. Let’s have a look at petras account. And the winner is …

Get-ADUserResultantPasswordPolicy petra

Unbenannt.PNG

Or check the msDS-ResultantPSO Attribute:

Unbenannt.PNG

The lower the number, the higher the precedence …

Have fun playing with password policies!

See also

PowerShell: Changing Active Directory user logon names (Bulk)

Securing Active Directory: Who can add computers to the domain? Only the domain admin. Are you sure?


2 Comments

  1. […] PowerShell: Configuring Fine Grained Password Policies (PSO) […]

    Like

  2. […] For example, I’ve activated the Recycle Bin Feature and created a Fine-grained-Password-Policy. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com