Saturday, April 22, 2017

Determine the Default Password Policy for an Active Directory Domain with PowerShell

Determine the Default Password Policy for an Active Directory Domain with PowerShell

http://ift.tt/2pLEMIa

I’ve been working with PowerShell since the version 1.0 days and I’m still amazed that I find cmdlets that I didn’t know existed. Back in 2003, I had written some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

I recently discovered that there’s a Get-ADDefaultDomainPasswordPolicy cmdlet that’s part of the ActiveDirectory PowerShell module that also installs as part of the RSAT.

You could select only the LockoutThreshold property to return the same results as shown in the first example:

The default lockout threshold for active directory accounts is 0 which means they’re never locked out. That’s not good so it’s something you might want to consider adding to your operational readiness testing for your infrastructure. The following example is a Pester test that checks this setting and verifies that it’s not set to zero.

Once you correct the problem by changing the account lockout threshold to a value greater than zero, the test should pass.

I like that Pester shows how long it took to execute the test. This tells me that using the Get-ADDefaultDomainPasswordPolicy is not only easier to use, but it’s also more efficient.

µ



Powershell

Powershell

via Mike F Robbins http://mikefrobbins.com

April 21, 2017 at 02:14AM
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)