Determine the Default Password Policy for an Active Directory Domain with PowerShell

I’ve been working with PowerShell since the version 1.0 days and I’m still amazed that I find cmdlets that I didn’t know existed. Back in 2003, I had written some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar to what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

(([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)
).GPO.Computer.ExtensionData.Extension.Account |
Where-Object name -eq LockoutBadCount).SettingNumber

lockout-policy1a.png

I recently discovered that there’s a Get-ADDefaultDomainPasswordPolicy cmdlet that’s part of the ActiveDirectory PowerShell module that also installs as part of the RSAT.

Get-ADDefaultDomainPasswordPolicy

lockout-policy2a.png

You could select only the LockoutThreshold property to return the same results as shown in the first example:

(Get-ADDefaultDomainPasswordPolicy).LockoutThreshold

lockout-policy3a.png

The default lockout threshold for active directory accounts is 0 which means they’re never locked out. That’s not good so it’s something you might want to consider adding to your operational readiness testing for your infrastructure. The following example is a Pester test that checks this setting and verifies that it’s not set to zero.

Describe 'LockoutThreshold' {
    It 'Should NOT be zero' {
        (Get-ADDefaultDomainPasswordPolicy).LockoutThreshold |
        Should Not Be 0
    }
}

lockout-policy4a.png

Once you correct the problem by changing the account lockout threshold to a value greater than zero, the test should pass.

lockout-policy5a.png

I like that Pester shows how long it took to execute the test. This tells me that using the Get-ADDefaultDomainPasswordPolicy is not only easier to use, but it’s also more efficient.

Describe 'LockoutThreshold' {
    It 'Should NOT be zero' {
        (([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)
        ).GPO.Computer.ExtensionData.Extension.Account |
        Where-Object name -eq LockoutBadCount).SettingNumber |
        Should Not Be 0
    }
}

lockout-policy6a.png

ยต