Manage Fine-Grained Password Policies with PowerShell

One of the major new features in the upcoming Windows Server 2008 (aka Longhorn) are granular password policies. The feature allows you to have multiple password policies within a single AD domain and thus be able to better fine-tune the security in your organization.

You can find pretty good write-ups about the feature and using ADSIedit to manage it at 4sysops and Ulf’s blog. However, as Richard pointed recently, using PowerShell to manage them is so much easier than ADSIEdit, so here’s a transcript of me experimenting with the policies in my Longhorn (Beta 3) lab (using AD cmdlets 1.0.3):

PS C:\> # Get the list of all password policies in the domain
PS C:\> Get-QADPasswordSettingsObject

Name      Type               DN                                                                       ----      ----               --                                                                       new pso   msDS-PasswordSe... CN=new pso,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

PSO2      msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft   


PS C:\> # Let's see all settings of a particular policy
PS C:\> Get-QADPasswordSettingsObject pso | Format-List

AppliesTo                   : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow                              ,DC=spb,DC=qsft}

CanonicalName               : cow.spb.qsft/System/Password Settings Container/PSO2

CreationDate                : 5/16/2007 4:50:29 PM

Description                 : 

DisplayName                 : 

DN                          : CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : 59632928-e3ff-4ced-afbf-c99ba2b60a8d

LockoutDuration             : -00:30:00

LockoutThreshold            : 0

MaximumPasswordAge          : -20.00:00:00

MinimumPasswordAge          : -1.00:00:00

MinimumPasswordLength       : 8

ModificationDate            : 6/18/2007 11:03:13 AM

Name                        : PSO2

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 24

Precedence                  : 10

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Create a new policy, set a few attributes and leave the rest default
PS C:\> New-QADPasswordSettingsObject -Name BeatlesPolicy -Precedence 5 -PasswordHistoryLength 10 -PasswordComplexityEnabled $true

Name            Type               DN                                                                               ----            ----               --                                                                               

BeatlesPolicy   msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft  


PS C:\> # See the properties of the new policy
PS C:\> Get-QADPasswordSettingsObject BeatlesPolicy | Format-List

AppliesTo                   : CanonicalName               : cow.spb.qsft/System/Password Settings Container/BeatlesPolicy

CreationDate                : 6/18/2007 11:41:17 AM

Description                 : 

DisplayName                 : 

DN                          : CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft

Guid                        : c76a72fd-6612-4647-b279-b42cf648e4eb

LockoutDuration             : -00:30:00

LockoutThreshold            : 5

MaximumPasswordAge          : -42.00:00:00

MinimumPasswordAge          : -30.00:00:00

MinimumPasswordLength       : 0

ModificationDate            : 6/18/2007 11:41:17 AM

Name                        : BeatlesPolicy

PasswordComplexityEnabled   : True

PasswordHistoryLength       : 10

Precedence                  : 5

ResetLockoutCounterAfter    : -00:30:00

ReversibleEncryptionEnabled : False

Type                        : msDS-PasswordSettings


PS C:\> # Link the policy to the COW\Beatles group
PS C:\> Add-QADPasswordSettingsObjectAppliesTo BeatlesPolicy -AppliesTo COW\Beatles

Name          Type               DN                                                                               

----          ----               --                                                                               

BeatlesPolicy msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft  


PS C:\> # See where are all the polies linked now
PS C:\> Get-QADPasswordSettingsObject | Format-List Name, AppliesTo

Name      : new psoAppliesTo : {CN=Kelly Smith,CN=Users,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : PSO2

AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}



Name      : BeatlesPolicy

AppliesTo : {CN=Beatles,CN=Users,DC=cow,DC=spb,DC=qsft}


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check the resultant policy and note that the one linked directly won
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name        msDS-ResultantPSO                                          

----        -----------------                                          

John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Check where the policy is applied
PS C:\> Get-QADPasswordSettingsObject PSO2 | Format-List Name, AppliesTo

Name      : PSO2AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}


PS C:\> # Unlink the policy
PS C:\> Remove-QADPasswordSettingsObjectAppliesTo PSO2 -AppliesTo COW\jlennon

Name  Type               DN                                                                               

----  ----               --                                                                               

PSO2  msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft           


PS C:\> # Resultant policy changed back to the group one
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo

Name         msDS-ResultantPSO                                          

----         -----------------                                          

John Lennon  CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...


PS C:\> # Remove the policy from the directory
PS C:\> Remove-QADObject BeatlesPolicy

Warning!
Are you sure you want to delete this object: CN=BeatlesPolicy,CN=Password Settings
Container,CN=System,DC=cow,DC=spb,DC=qsft?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y

Windows Server 2008 and PowerShell – are better together! ;)

Here’s the fine-grained-passwords-demo.txt file with the commands in case you want to have fun with them yourself (just change the domain name, etc. to match your lab)

Tags:, , , , , , , , , ,

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

June 2007
M T W T F S S
« May   Jul »
 123
45678910
11121314151617
18192021222324
252627282930  

Follow

Get every new post delivered to your Inbox.

Join 2,328 other followers

%d bloggers like this: