Reference Material | PowerShell cmdlets

All operations that can be performed using the Specops Password Policy administration tools can also be performed from Windows PowerShell.

Note: in order to run cmdlets, Windows Powershell 5.1 needs to be installed on the server running the Administration Tools.

Getting started

Specops Password Policy includes the following Windows PowerShell cmdlets. They are installed as a PowerShell module with the Specops Password Policy Admin Tools. You might have to start a new PowerShell Window after installing admin tools for the cmdlets to be available.

Administration cmdlets

For a list of all the Specops Password Policy administration cmdlets from Powershell, use the following command:

Get-Command –Module Specops.SpecopsPasswordPolicy

Create a Specops Password Policy GPO

You can configure a password policy to use classic password rules.

$policy = New-PasswordPolicy
$policy.MinimumLength = 8
$policy.Digit = 1
Set-PasswordPolicy -GpoName SPP -Policy $policy

Passphrase

You can configure a password policy to use passphrases.

$policy = New-PasswordPolicy
$policy.PhrasesMinimumLength = 25
$policy.PasswordPolicyType = "Passphrase"
Set-PasswordPolicy -GpoName SPP -Policy $policy

Both password rules and passphrase

You can configure a password policy to use both classic password rules and passphrases.

$policy = New-PasswordPolicy
$policy.PasswordPolicyType = "Both"
$policy.PhrasesMinimumLength = 25                  
$policy.PhraseRegexDigit = $true
$policy.MinimumLength = 8
$policy.Digit = 1
$policy.Upper = 1       
Set-PasswordPolicy -GpoName SPP -Policy $policy

Resolve a user’s Specops Password Policy GPO

A user’s Specops Password Policy GPO can be resolved. If the user isn’t affected by Specops Password Policy, nothing will be returned.

Example 1: Resolve policy using userPrincipalName

Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

Sample output: 

PS C:\Scripts> Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Example 2: Resolve policy using sAMAccountName

Get-PasswordPolicyAffectingUser John | Format-List

Sample output: 

PS C:\Scripts> Get-PasswordPolicyAffectingUser John | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Enforce Leaked Password Scanning (Breached Password Protection Express customers only)

Leaked password scanning is by default run by Specops Password Policy Sentinel on the PDC emulator every night when the Breached Password Protection Express list has been updated. If not updated, there is no need to do the scanning. The scanning can be enforced from the admin tool, or the Start-PasswordPolicyLeakedPasswordScanning cmdlet.

Example: Enforce nightly counting – must be called on the PDC emulator, from elevated PowerShell windows

Start-PasswordPolicyLeakedPasswordScanning -Verbose

Sample output (successful): 

PS C:\Scripts> Start-PasswordPolicyLeakedPasswordScanning -Verbose
VERBOSE: User counting started successfully.

Sample output (PowerShell not started with ‘Run as administrator’): 

PS C:\Users\admin> Start-PasswordPolicyLeakedPasswordScanning -Verbose
VERBOSE: User counting could not be started (FailedToStartUserCountingAccessDeniedToNamedEventException).

Sample output (not on the PDC emulator): 

# Start-PasswordPolicyLeakedPasswordScanning -Verbose
VERBOSE: User counting could not be started (FailedToStartUserCountingNotPdcEmulatorException).