Find the settings of AD Domain Password Policy using Powershell

Ways to check the password complexity by Powershell.

Summary:

  • # Method 1 : Get-ADDefaultDomainPasswordPolicy
  • # Method 2 : Get-ADObject
  • # Method 3 : net accounts

# Method 1 : Get-ADDefaultDomainPasswordPolicy

We can use the AD powershell cmdet Get-ADDefaultDomainPasswordPolicy to gets the default password policy for an Active Directory domain. Before proceed, import the Active Directory module first by running below command.

1
Import-Module ActiveDirectory

The below command get the default domain password policy from current logged on user domain.

1
Get-ADDefaultDomainPasswordPolicy

This command get the default domain password policy from a given domain.

1
Get-ADDefaultDomainPasswordPolicy -Identity contoso.com

This command returns the following results (ComplexityEnabled, MaxPasswordAge, MinPasswordAge and MinPasswordLength).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled           : True
DistinguishedName           : DC=testdomain,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : d43f2f55-c381-4fa7-871d-4c990434259c
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

# Method 2 : Get-ADObject

We can also use Get-ADObject to retrieve password policy associated properties from the domain naming context (defaultNamingContext)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$RootDSE = Get-ADRootDSE
$PasswordPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property minPwdAge, maxPwdAge,`
                  minPwdLength, pwdHistoryLength, pwdProperties
$PasswordPolicy | Select Name, @{n="Min Password Age";e={"$($_.minPwdAge/-864000000000) days"}},`
@{n="Max Password Age";e={"$($_.maxPwdAge / -864000000000) days"}},`
@{n="Max Password Length";e={"$($_.minPwdLength) characters"}},`
@{n="Pwd History Length";e={$_.pwdHistoryLength}},`
@{n="Password Complexity";e={Switch ($_.pwdProperties) {
         0 {"Passwords can be simple and the administrator account cannot be locked out"}
         1 {"Passwords must be complex and the administrator account cannot be locked out"}
         8 {"Passwords can be simple, and the administrator account can be locked out"}
         9 {"Passwords must be complex, and the administrator account can be locked out"}
         Default {$_.pwdProperties}}}}

The above command returns the following results (Min Password Age, Max Password Age, Max Password Length, Pwd History Length and Password Complexity).

1
2
3
4
5
6
Name             : contoso
Min Password Age    : 1 days
Max Password Age    : 42 days
Max Password Length : 7 characters
Pwd History Length  : 24
Password Complexity : Passwords must be complex and the administrator account cannot be locked out

# Method 3 : net accounts

We can also use the following net command to look at the password policy details.

net accounts

This command returns the following results (minimum password length, maximum password age and minimum password length).

PS C:\> net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          42
Minimum password length:                              7
Length of password history maintained:                24
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.

Orginal article