Determine the Default Password Policy for an Active Directory Domain with PowerShell

I’ve been working with PowerShell since the version 1.0 days and I’m still amazed that I find cmdlets that I didn’t know existed. Back in 2003, I had written some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar to what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

I recently discovered that there’s a Get-ADDefaultDomainPasswordPolicy cmdlet that’s part of the ActiveDirectory PowerShell module that also installs as part of the RSAT.

You could select only the LockoutThreshold property to return the same results as shown in the first example:

The default lockout threshold for active directory accounts is 0 which means they’re never locked out. That’s not good so it’s something you might want to consider adding to your operational readiness testing for your infrastructure. The following example is a Pester test that checks this setting and verifies that it’s not set to zero.

Once you correct the problem by changing the account lockout threshold to a value greater than zero, the test should pass.

I like that Pester shows how long it took to execute the test. This tells me that using the Get-ADDefaultDomainPasswordPolicy is not only easier to use, but it’s also more efficient.

µ

2 Comments

  1. Luke

    Same for me Mike!
    So many cmdlets are added to every new Powershell release…

    Reply
  2. fullenw1

    Just for fun a fiction script, which could be named : ComputePSHeadSpinningRisk

    ==================================
    function LearnAndUseNewCmdlet
    {
    param($NewCmdlet)

    “Read new cmdlet documentation.”

    foreach($Script in $MyScriptList)
    {
    If($Script.HasBeenMadeObsoleteByNewCmdlet)
    {“Use the new $NewCmdlet.Name instead my script.”}
    Else
    {“See if $NewCmdlet.Name can improve my script in some way.”}
    }
    }

    #Learn one cmdlet per day
    $BrainLimit=365 * $YearsBeforeNextRelease

    #One hour per day of time to learn beside work
    $DailyTimeToLearn=New-TimeSpan -Hours 1

    $NewCmdletsTotal=$NewPSVersion.Cmdlets.Count – $CurrentPSVersion.Cmdlets.Count

    #Less than one cmdlet to learn per day
    If($NewCmdletsTotal -le $BrainLimit)
    {
    foreach($Cmdlet in $NewPoShVersion.Cmdlets)
    {
    If($Cmdlet.IsNew)
    {$TimePassed=$TimePassed + (Measure-Command -Expression {LearnAndUseNewCmdlet $Cmdlet})}
    }
    }
    Else{$MyHeadIsSpinning=$true}

    $DaysBeforeNextVersion=((Get-Date -Date $DateOfFutureVersion)-(Get-Date)).Days
    $AverageTimePassedToLearn=$TimePassed/$DaysBeforeNextVersion

    #Less than one hour per day to learn
    If($AverageTimePassedToLearn -le ($DailyTimeToLearn))
    {$IBecomeAPoShMaster=$true}
    Else {$MyHeadIsSpinning=$true}

    Reply

Leave a Reply

%d bloggers like this: