Useful PowerShell commands for managing Active Directory password policies
Managing password policies in Active Directory is an essential task for a system administrator managing AD DS environments. Password policies help to enforce password policy best practices so passwords are not easily guessed or compromised. Managing and configuring password policy settings can not only be done from the Group Policy Management Editor but also using PowerShell.
Combining Active Directory management with the flexibility and power of PowerShell can help optimize password policy management tasks. Since Microsoft has built-in official PowerShell modules that allow admins to interact with, configure, and manage Active Directory settings, it’s easy to get started. We’ll explain how and give you some real examples to try.
Active Directory password policies
In Active Directory, the default domain policy settings govern the password policy settings for all user accounts. However, an organization may need to set different policies for different users or groups, which are knowns as fine-grained password policies.
The importance of password policies
Password policies are a critical aspect of an organization’s security infrastructure. They help mitigate security risks such as brute force attacks and the compromise of corporate passwords by enforcing requirements like minimum password length, maximum password age, and password history.
End users tend to create weak passwords that are generally easily guessed and subject to brute-force attack campaigns by hackers. What’s worse, high-level domain admin accounts may have weak passwords or even multiple accounts with the same password.
Password policies in Active Directory
Active Directory password policy settings are typically configured via Group Policy Management Console (GPMC). The Default Domain Policy in Microsoft Active Directory includes a default password policy that can be modified to fit the organization’s needs. Below is a view of the Default Domain Policy brought up in the Group Policy Management editor.
Default group policy password settings
You can view the default domain policy settings in the Group Policy Management Console (GPMC). After launching gpmc.msc from a run or cmd prompt, these settings are located under “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Account Policies” -> “Password Policy“.
The password policy settings include the following:
- Enforce password history – Define a set number of passwords remembered, preventing the user from setting a password they have used recently. This essentially enables AD to store passwords hashes for it to determine if the password has been used before.
- Maximum password age – Set the maximum password age to enforce your password expiration policies when a password expires.
- Minimum password age – Choose a minimum password age, which determines the period that a password must be used before the user can change it.
- Minimum password length – Set minimum password length to prevent very short passwords from being used.
- Passwords must meet complexity requirements – This setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Complexity requirements are enforced when passwords are changed or created.
- Click here for a deeper dive into checking password complexity requirements in Active Directory.
- Store passwords using reversible encryption – Provides support for applications that use protocols requiring knowledge of the user’s password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
PowerShell for Active Directory password policy management
As mentioned, PowerShell is an excellent tool to automate the management and configuration process of Active Directory password policies. Here are a few PowerShell command examples for managing common AD password policy settings.
Example 1: Get the Default Domain password policy
Import-Module ActiveDirectory Get-ADDefaultDomainPasswordPolicy
Example 2: Set the minimum password length
You can use PowerShell to set the minimum password length using the following:
Set-ADDefaultDomainPasswordPolicy -Identity "domain.com" -MinPasswordLength 10
Example 3: Set the minimum password age
Set the minimum password age with the following PowerShell code:
Set-ADDefaultDomainPasswordPolicy -Identity "domain.com" -MinPasswordAge 2.00:00:00
Example 4: Create new fine grained password policies
With the later versions of Microsoft Active Directory Domain Services, you can now create multiple password settings objects (PSOs) to apply different password policies for different users, computers, locations, etc.
# Import the necessary Active Directory module Import-Module ActiveDirectory # Create a new PSO New-ADFineGrainedPasswordPolicy -Name "TestPasswordPolicy" -Precedence 500 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 8 -PasswordHistoryCount 24 -MaxPasswordAge (New-TimeSpan -Days 60) -MinPasswordAge (New-TimeSpan -Days 1) -LockoutThreshold 5 -LockoutObservationWindow (New-TimeSpan -Minutes 30) -LockoutDuration (New-TimeSpan -Minutes 30)
Below, we are using a similar command to create a new PSO object.
This command creates a new PSO with the following settings:
- Name: TestPasswordPolicy
- Precedence: 500
- Password complexity: Enabled
- Reversible encryption: Disabled
- Minimum password length: 8 characters
- Password history count: The last 24 passwords
- Maximum password age: 60 days
- Minimum password age: 1 day
- Account lockout threshold: 5 failed logon attempts
- Lockout observation window: 30 minutes
- Lockout duration: 30 minutes
Remember to replace “CustomPasswordPolicyName” with the name of your choice and adjust the other parameters according to your organization’s password policy requirements.
After creating the PSO, you must apply it to a user or group. Here’s how you could apply this new policy to a group named “TestGroup”:
# Apply the PSO to a group Add-ADFineGrainedPasswordPolicySubject "MyCustomPasswordPolicy" -Subjects "TestGroup"
Note: Fine-Grained Password Policies and the associated cmdlets for managing them (like New-ADFineGrainedPasswordPolicy) require at least Windows Server 2008 domain functional level.
Points to Remember with PowerShell password policy automation in Active Directory
1. Fine-Grained password policies
Often overlooked, the fine-grained password policies in Active Directory offer granular control over the domain password policy. By allowing the creation of multiple password policies within the same domain, they are perfect in scenarios where unique password requirements are necessary for specific user accounts or groups, but not others.
2. Protect against brute force attacks with lockout policies
Brute force attacks on user accounts are a real threat. Using the LockoutThreshold, LockoutObservationWindow, and LockoutDuration parameters effectively in your active directory password policy can be your first defense against such attempts. Remember, every failed login attempt is a potential compromise of corporate passwords.
3. Maintain balance between security and user convenience
Enforcing a robust password policy prevents weak passwords and enhances password security. However, policies that are too strict might lead to frequent password changes, causing inconvenience and possibly leading to insecure practices like writing down passwords.
Use PowerShell commands to strike a balance, focusing on parameters like MinPasswordLength, MaxPasswordAge, and PasswordHistoryCount. Your aim should be to maximize security without significantly impacting user experience.
Advanced Active Directory password policy management with Specops
Standard settings in AD, while practical, may not be enough to enforce modern, strong password policies. This is where more advanced solutions like Specops Password Policy can help.
Specops Password Policy extends the functionality of Active Directory password policy settings. It works with your existing Group Policies and isn’t a “rip and replace” solution. It enables you to enhance your password policies by incorporating features such as breached password protection, custom dictionary lists, and passphrase settings. As shown below, Specops enables admins to have many more password enforcement options than Active Directory’s defaults.
Admins can enforce compliance requirements and help users create stronger passwords in Active Directory with dynamic, informative client feedback. They can extend the functionality of Group Policies and simplify the management of fine-grained password policies. The solution can target any GPO level, group, user, or computer with dictionary and passphrase settings.
However, it’s important to remember that even strong passwords can become compromised through password reuse, phishing attacks, or data breaches. Specops Password Policy also has the option of a Breached Password protection feature, which is non-existent in Active Directory by default. Breached Password Protection allows admins to check their Active Directory environments against Specops’ list of over 4 billion unique compromised passwords, including those being used in cyber-attacks right now.
With the continued rise of cybersecurity threats, advanced tools like Specops can significantly enhance your organization’s password security posture. By automating the management of Active Directory password policy settings and adhering to password policy best practices, you can ensure your organization is well-equipped to ward off potential security threats. Try Specops Password Policy for free to rapidly boost your Active Directory security.
(Last updated on August 31, 2023)
STOCKHOLM – Today, Specops Software announced the addition of the latest HaveIBeenPwned (HIBP) password list update, v7, to its Breached Password Protection database. Over 226 million passwords from over 23,000 hacked databases are in HIBP v7, a collection of databases attributed to the now defunct data breach index site, Cit0Day. “This Cit0Day password set really…Read More
A strong password is long and complex. Adding upper case, numbers, and special characters make it harder to crack. However, considering user behavior, complex passwords have proven too difficult to remember. To cope with complexity requirements, users default to familiar patterns: A dictionary word as the root, capitalized first letter, number(s), and a special character…Read More