Useful PowerShell commands for managing Active Directory password policies 

Managing password policies in Active Directory is an essential task for a system administrator managing AD DS environments. Password policies help to enforce password policy best practices so passwords are not easily guessed or compromised. Managing and configuring password policy settings can not only be done from the Group Policy Management Editor but also using PowerShell.  

Combining Active Directory management with the flexibility and power of PowerShell can help optimize password policy management tasks. Since Microsoft has built-in official PowerShell modules that allow admins to interact with, configure, and manage Active Directory settings, it’s easy to get started. We’ll explain how and give you some real examples to try. 

Active Directory password policies 

In Active Directory, the default domain policy settings govern the password policy settings for all user accounts. However, an organization may need to set different policies for different users or groups, which are knowns as fine-grained password policies. 

The importance of password policies 

Password policies are a critical aspect of an organization’s security infrastructure. They help mitigate security risks such as brute force attacks and the compromise of corporate passwords by enforcing requirements like minimum password length, maximum password age, and password history. 

End users tend to create weak passwords that are generally easily guessed and subject to brute-force attack campaigns by hackers. What’s worse, high-level domain admin accounts may have weak passwords or even multiple accounts with the same password. 

Password policies in Active Directory 

Active Directory password policy settings are typically configured via Group Policy Management Console (GPMC). The Default Domain Policy in Microsoft Active Directory includes a default password policy that can be modified to fit the organization’s needs. Below is a view of the Default Domain Policy brought up in the Group Policy Management editor. 

View of the default password policy in Active Directory using the Group Policy Management Console
View of the default password policy in Active Directory using the Group Policy Management Console

Default group policy password settings

You can view the default domain policy settings in the Group Policy Management Console (GPMC). After launching gpmc.msc from a run or cmd prompt, these settings are located under “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Account Policies” -> “Password Policy“. 

The password policy settings include the following: 

  • Enforce password history – Define a set number of passwords remembered, preventing the user from setting a password they have used recently. This essentially enables AD to store passwords hashes for it to determine if the password has been used before. 
  • Maximum password age – Set the maximum password age to enforce your password expiration policies when a password expires. 
  • Minimum password age – Choose a minimum password age, which determines the period that a password must be used before the user can change it. 
  • Minimum password length – Set minimum password length to prevent very short passwords from being used. 
  • Passwords must meet complexity requirements – This setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: 
    • Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters 
    • Be at least six characters in length 
    • Contain characters from three of the following four categories: 
      • English uppercase characters (A through Z) 
      • English lowercase characters (a through z) 
      • Base 10 digits (0 through 9) 
      • Non-alphabetic characters (for example, !, $, #, %) 
    • Complexity requirements are enforced when passwords are changed or created. 
    • Click here for a deeper dive into checking password complexity requirements in Active Directory. 
  • Store passwords using reversible encryption – Provides support for applications that use protocols requiring knowledge of the user’s password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. 

PowerShell for Active Directory password policy management 

As mentioned, PowerShell is an excellent tool to automate the management and configuration process of Active Directory password policies. Here are a few PowerShell command examples for managing common AD password policy settings. 

Example 1: Get the Default Domain password policy 

Import-Module ActiveDirectory  
Get-ADDefaultDomainPasswordPolicy 
Getting the default domain password policy using PowerShell
Getting the default domain password policy using PowerShell

Example 2: Set the minimum password length 

You can use PowerShell to set the minimum password length using the following: 

Set-ADDefaultDomainPasswordPolicy -Identity "domain.com" -MinPasswordLength 10 

Example 3: Set the minimum password age 

Set the minimum password age with the following PowerShell code: 

Set-ADDefaultDomainPasswordPolicy -Identity "domain.com" -MinPasswordAge 2.00:00:00 

Example 4: Create new fine grained password policies 

With the later versions of Microsoft Active Directory Domain Services, you can now create multiple password settings objects (PSOs) to apply different password policies for different users, computers, locations, etc. 

For example: 

# Import the necessary Active Directory module 

Import-Module ActiveDirectory 

# Create a new PSO 

New-ADFineGrainedPasswordPolicy -Name "TestPasswordPolicy" -Precedence 500 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 8 -PasswordHistoryCount 24 -MaxPasswordAge (New-TimeSpan -Days 60) -MinPasswordAge (New-TimeSpan -Days 1) -LockoutThreshold 5 -LockoutObservationWindow (New-TimeSpan -Minutes 30) -LockoutDuration (New-TimeSpan -Minutes 30) 

Below, we are using a similar command to create a new PSO object. 

Creating a new fine-grained password policy
Creating a new fine-grained password policy

This command creates a new PSO with the following settings: 

  • Name: TestPasswordPolicy 
  • Precedence: 500 
  • Password complexity: Enabled 
  • Reversible encryption: Disabled 
  • Minimum password length: 8 characters 
  • Password history count: The last 24 passwords 
  • Maximum password age: 60 days 
  • Minimum password age: 1 day 
  • Account lockout threshold: 5 failed logon attempts 
  • Lockout observation window: 30 minutes 
  • Lockout duration: 30 minutes 

Remember to replace “CustomPasswordPolicyName” with the name of your choice and adjust the other parameters according to your organization’s password policy requirements. 

After creating the PSO, you must apply it to a user or group. Here’s how you could apply this new policy to a group named “TestGroup”: 

# Apply the PSO to a group 

Add-ADFineGrainedPasswordPolicySubject "MyCustomPasswordPolicy" -Subjects "TestGroup" 

Note: Fine-Grained Password Policies and the associated cmdlets for managing them (like New-ADFineGrainedPasswordPolicy) require at least Windows Server 2008 domain functional level. 

Points to Remember with PowerShell password policy automation in Active Directory 

1. Fine-Grained password policies 

Often overlooked, the fine-grained password policies in Active Directory offer granular control over the domain password policy. By allowing the creation of multiple password policies within the same domain, they are perfect in scenarios where unique password requirements are necessary for specific user accounts or groups, but not others.  

2. Protect against brute force attacks with lockout policies 

Brute force attacks on user accounts are a real threat. Using the LockoutThreshold, LockoutObservationWindow, and LockoutDuration parameters effectively in your active directory password policy can be your first defense against such attempts. Remember, every failed login attempt is a potential compromise of corporate passwords. 

3. Maintain balance between security and user convenience 

Enforcing a robust password policy prevents weak passwords and enhances password security. However, policies that are too strict might lead to frequent password changes, causing inconvenience and possibly leading to insecure practices like writing down passwords.  

Use PowerShell commands to strike a balance, focusing on parameters like MinPasswordLength, MaxPasswordAge, and PasswordHistoryCount. Your aim should be to maximize security without significantly impacting user experience. 

Advanced Active Directory password policy management with Specops 

Standard settings in AD, while practical, may not be enough to enforce modern, strong password policies. This is where more advanced solutions like Specops Password Policy can help. 

Specops Password Policy extends the functionality of Active Directory password policy settings. It works with your existing Group Policies and isn’t a “rip and replace” solution. It enables you to enhance your password policies by incorporating features such as breached password protection, custom dictionary lists, and passphrase settings. As shown below, Specops enables admins to have many more password enforcement options than Active Directory’s defaults. 

Admins can enforce compliance requirements and help users create stronger passwords in Active Directory with dynamic, informative client feedback. They can extend the functionality of Group Policies and simplify the management of fine-grained password policies. The solution can target any GPO level, group, user, or computer with dictionary and passphrase settings. 

Specops provides a wide range of password rules to define the organization's password policy
Specops provides a wide range of password rules to define the organization’s password policy

However, it’s important to remember that even strong passwords can become compromised through password reuse, phishing attacks, or data breaches. Specops Password Policy also has the option of a Breached Password protection feature, which is non-existent in Active Directory by default. Breached Password Protection allows admins to check their Active Directory environments against Specops’ list of over 4 billion unique compromised passwords, including those being used in cyber-attacks right now. 

Specops lets you easily add breached password protection to your AD DS environment
Specops lets you easily add Breached Password Protection to your AD DS environment  

With the continued rise of cybersecurity threats, advanced tools like Specops can significantly enhance your organization’s password security posture. By automating the management of Active Directory password policy settings and adhering to password policy best practices, you can ensure your organization is well-equipped to ward off potential security threats. Try Specops Password Policy for free to rapidly boost your Active Directory security.  

(Last updated on September 19, 2024)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles