Domain policy

The domain policy controls the lockout and password policies. Understanding the default allows you to start thinking about options for fine grained password policies.

            
"`nMicrosoft"            
Get-ADObject  -Identity "dc=manticore,dc=org" -properties * |             
Format-List Name, *lockout*, *pwd*            
            
"`nAD provider"            
$props = "Name", "lockoutDuration", "lockOutObservationWindow", "lockoutThreshold",            
"maxPwdAge", "minPwdAge", "minPwdLength", "pwdHistoryLength", "pwdProperties"            
            
foreach ($prop in $props) {            
Get-ItemProperty -Path ad:\"dc=manticore,dc=org" -Name $prop | fl $prop            
}            
            
            
"`nQuest"            
Get-QADObject  -Identity "dc=manticore,dc=org" -IncludeAllproperties |             
Format-List Name, *lockout*, *password*            
            
"`nScript"            
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
$root = $dom.GetDirectoryEntry()            
            
$search = [System.DirectoryServices.DirectorySearcher]$root            
$search.Filter = "(objectclass=domainDNS)"            
$result = $search.FindOne()            
            
New-Object -TypeName PSObject -Property @{            
 Name = $($result.Properties.name)            
 lockoutDuration  = $($result.Properties.lockoutduration)            
 lockOutObservationWindow  = $($result.Properties.lockoutobservationwindow)            
 lockoutThreshold  = $($result.Properties.lockoutthreshold)            
 maxPwdAge = $($result.Properties.maxpwdage)            
 minPwdAge = $($result.Properties.minpwdage)            
 minPwdLength = $($result.Properties.minpwdlength)            
 pwdHistoryLength = $($result.Properties.pwdhistorylength)            
 pwdProperties  = $($result.Properties.pwdproperties)            
}


The cmdlets access the AD object for the domain.  The provider accesses the domain object and pulls the appropriate attributes



The script is the most interesting in that a search is conducted for the object in the domainDNS class. The required properties are then displayed.



Another alternative is supplied by the Microsoft cmdlets



PS> Get-ADDefaultDomainPasswordPolicy




ComplexityEnabled           : True
DistinguishedName           : DC=Manticore,DC=org
LockoutDuration             : 00:01:00
LockoutObservationWindow    : 00:01:00
LockoutThreshold            : 25
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : 1f230c52-a38d-4d47-8748-5f7fad04cf90
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

Leave a Reply