Pricing  Get Quote
 
 

How to: Manage GPO-based password policies with PowerShell

The PowerShell scripts given below can be used to manage the default password policy for an Active Directory domain. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that can be applied for hybrid Active Directory. The following is a comparison between group policy object (GPO)-based domain password policy settings available in Windows Active Directory and ADSelfService Plus:

With PowerShell

  • Modify the default password policy for an Active Directory domain
    Set-ADDefaultDomainPasswordPolicy
       [-WhatIf]
       [-Confirm]
       [-AuthType <ADAuthType>]
       [-ComplexityEnabled <Boolean>]
       [-Credential <PSCredential>]
       [-Identity] <ADDefaultDomainPasswordPolicy>
       [-LockoutDuration <TimeSpan>]
       [-LockoutObservationWindow <TimeSpan>]
       [-LockoutThreshold <Int32>]
       [-MaxPasswordAge <TimeSpan>]
       [-MinPasswordAge <TimeSpan>]
       [-MinPasswordLength <Int32>]
       [-PassThru]
       [-PasswordHistoryCount <Int32>]
       [-ReversibleEncryptionEnabled <Boolean>]
       [-Server <String>]
       [<CommonParameters>]
     Copied
    Click to copy entire script
  • Fetch the default password policy for an Active Directory domain.
    Get-ADDefaultDomainPasswordPolicy
       [-AuthType <ADAuthType>]
       [-Credential <PSCredential>]
       [[-Current] <ADCurrentDomainType>]
       [-Server <String>]
       [<CommonParameters>]

With ADSelfService Plus

  • Configure a custom password policy via the Password Policy Enforcer
    • Go to ADSelfService Plus admin portal.
    • Navigate to Configuration > Self-Service > Password Policy Enforcer.
    • Enable Enforce Custom Password Policy.
      how-to-enforce-password-policy-in-active-directory-using-powershell-script-1
    • Ban leaked or weak passwords, keyboard sequences, and palindromes.
    • Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
    • Allow users to use Unicode characters in their passwords.
    • Display a password strength meter when users change or reset their AD passwords.
    • Enforce passphrases.
    • Click Save.

What are the limitations of domain password policies?

  • It does not offer password policy controls like banning dictionary or weak passwords, keyboard sequences, palindromes, etc.
  • It cannot be used in hybrid Active Directory environments.
  • Domain password policy cannot be applied to users based on their OU or group memberships.
  • No support to ensure users don't use breached passwords during password change and password reset.
  • It cannot display the password requirements to end users during change.
Advantages of ADSelfService Plus:
  • ADSelfService Plus' offers options to block weak passwords, dictionary words, palindromes, and keyboard sequences to ensure strong user passwords.

  • Display the password requirements to end users during password change or reset operations.

  • Enforce custom password policy settings for password changes through the Windows logon (Ctrl+Alt+Del) screen and even during ADUC password resets.

  • ADSelfService Plus ensures users don't use breached password during password change and password reset by integration with Have I Been Pwned? service.

Custom password policies to nip cyberattacks like brute-force in the bud!

  Get 30-day free trial.

Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link