Power Shell Scripts

Powershell samples

Working with fine-grained password policies

The following command will create a new password policy:

$policy = New-BasicPasswordPolicy -Name ‘My First Password Policy’

Then we can set a value for one of the rules, and saving the policy.

$policy.MinimumPasswordLength = 6
$policy.Save()

Note! Changes to the password policy are not carried through until the Save method is called.

To get a list of all configured fine-grained password polices in the domain, try the following command.

Get-BasicPasswordPolicy

This will produce a list with all the polices and their properties. To get a better overview of the policies try this version of the command, where the Format-Table (ft) cmdlet is used to improve the format of the output.

Get-BasicPasswordPolicy | ft -Property Name, MinimumPasswordLength

The Get-BasicPasswordPolicy cmdlet works similar to the New-BasicPasswordPolicy, use the name as a parameter to get a reference to a specific password policy:

$policy = Get-BasicPasswordPolicy -Name ‘My First Password Policy’

Some more things to try out. The following commands will attempt to set properties to the password polices that would make it invalid. Minimum password age cannot be greater than maximum password age. Try saving the policy and watch the result.

$policy.MinimumPasswordAge = 35
$policy.MaximumPasswordAge = 30
$policy.Save()

If you have a lot of password policies configured in your domain, it might be difficult to determine which password policy that affects a certain user. Using the Get-BasicAffectingPasswordPolicy you can easily retrieve the affecting password policy settings for a specific user:

Get-BasicAffectingPasswordPolicy -Name ‘bob’

To completely remove a password policy, use the following command:

Remove-BasicPasswordPolicy -Name ‘My First Password Policy’

Working with the Default Domain Policy settings

You can use the Get-BasicDomainPasswordPolicy cmdlet to view the password policy settings defined in the Default Domain Policy. Theese settings are read-only and cannot be changed using the cmdlet.

Get-BasicDomainPasswordPolicy

More information

Refer to the API documentation for detialed information about the underlying objects, their properties and methods.