Retrieving Domain Password Policies

AD cmdlets 1.1 add a few nifty features which let you easily access password-related settings of your domain. Basically, all related properties are just a part of the attributes domain objects have, so you can do:

[PS] C:\>Get-QADObject scorpio.local/ | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Or if you do not want to specify the domain name explicitly:

[PS] C:\>(Get-QADRootDSE).Domain | Format-List Name, *Password*, *Lockout*

Name                     : scorpio
MinimumPasswordAge       : 1 days
MaximumPasswordAge       : 42 days
PasswordHistoryLength    : 24 passwords remembered
MinimumPasswordLength    : 1 characters
LockoutDuration          : 30 minutes
LockoutTreshold          : 0 invalid logon attempts
ResetLockoutCounterAfter : 30 minutes

Another tip is that you can actually get a hold of the Domain property for any AD account: e.g. user.

So if you have:

$user = Get-QADObject 'Dmitry Sotnikov'

And want to learn the password policies you can just do:

$user.Domain | Format-Table Name, *Password*, *Lockout*

Nice and easy!

This all applies to domain policies. Fine-grained password policies have their own set of cmdlets as well.

Tags: AD, AD cmdlets, Active Directory, Password management, PowerShell, cmdlets, one-liner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Advertisement