Powershell cmdlets

All operations that can be performed using the Specops Password Policy administration tools can also be performed from Windows PowerShell.

NOTE
in order to run cmdlets, Windows Powershell 5.1 needs to be installed on the server running the Administration Tools.

Getting started

Specops Password Policy includes the following Windows PowerShell cmdlets. They are installed as a PowerShell module with the Specops Password Policy Admin Tools. You might have to start a new PowerShell Window after installing admin tools for the cmdlets to be available.

Administration cmdlets

For a list of all the Specops Password Policy administration cmdlets from Powershell, use the following command:

Copy
Get-Command –Module Specops.SpecopsPasswordPolicy

Creating a Specops Password Policy GPO

You can configure a password policy to use classic password rules.

Copy
$policy = New-PasswordPolicy
$policy.MinimumLength = 8
$policy.Digit = 1
Set-PasswordPolicy -GpoName SPP -Policy $policy
NOTE
GPO ID can also be used instead of GPO name. In that case, replace the -GpoName argument with -GpoId

Passphrase

You can configure a password policy to use passphrases.

Copy
$policy = New-PasswordPolicy
$policy.PhrasesMinimumLength = 25
$policy.PasswordPolicyType = "Passphrase"
Set-PasswordPolicy -GpoName SPP -Policy $policy

Both password rules and passphrase

You can configure a password policy to use both classic password rules and passphrases.

Copy
$policy = New-PasswordPolicy<br />
$policy.PasswordPolicyType = "Both"<br />
$policy.PhrasesMinimumLength = 25<br />
$policy.PhraseRegexDigit = $true<br />
$policy.MinimumLength = 8<br />
$policy.Digit = 1<br />
$policy.Upper = 1<br />  
Set-PasswordPolicy -GpoName SPP -Policy $policy

Removing a Specops Password Policy GPO

You can configure a password policy to use classic password rules.

Copy
$policy = New-PasswordPolicy
                $policy.MinimumLength = 8
                $policy.Digit = 1
            Remove-PasswordPolicy -GpoName SPP $policy
NOTE
GPO ID can also be used instead of GPO name. In that case, replace the -GpoName argument with -GpoId

Resolving a user’s Specops Password Policy GPO

A user’s Specops Password Policy GPO can be resolved. If the user isn’t affected by Specops Password Policy, nothing will be returned.

Example 1: Resolve policy using userPrincipalName

Copy
Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

Sample output:

Copy
PS C:\Scripts> Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Example 2: Resolve policy using sAMAccountName

Copy
Get-PasswordPolicyAffectingUser John | Format-List

Sample output:

Copy
PS C:\Scripts> Get-PasswordPolicyAffectingUser John | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Enforcing Leaked Password Scanning (Breached Password Protection Express customers only)

Leaked password scanning is by default run by Specops Password Policy Sentinel on the PDC emulator every night when the Breached Password Protection Express list has been updated. If not updated, there is no need to do the scanning. The scanning can be enforced from the admin tool, or the Start-PasswordPolicyLeakedPasswordScanning cmdlet.

Example: Enforce nightly counting – must be called on the PDC emulator, from elevated PowerShell windows

Copy
Start-PasswordPolicyLeakedPasswordScanning -Verbose

Sample output (successful):

Copy
PS C:\Scripts> Start-PasswordPolicyLeakedPasswordScanning -Verbose<br />
VERBOSE: User counting started successfully.

Sample output (PowerShell not started with ‘Run as administrator’):

Copy
PS C:\Users\admin> Start-PasswordPolicyLeakedPasswordScanning -Verbose<br />
VERBOSE: User counting could not be started (FailedToStartUserCountingAccessDeniedToNamedEventException).

Sample output (not on the PDC emulator):

Copy
# Start-PasswordPolicyLeakedPasswordScanning -Verbose<br />
VERBOSE: User counting could not be started (FailedToStartUserCountingNotPdcEmulatorException).

Specops Breached Password Protection Express Cmdlets

Get status of Breached Password Protection Express (Get-SppBppExpressList)

This cmdlet gets the status of the Breached Password Protection Express list to determine if there is an update available online. Optionally, integrity of the downloaded Express list can be validated. Integrity validation will compare hashes of all Express list files in sysvol with their expected hash from the metadata file.

Copy
Get-PasswordPolicyBppExpressList [[-DomainName] <string>][-VerifyFileIntegrity]

Update Breached Password Protection Express List (Update-SppBppExpressList)

This cmdlet updates the Breached Password Protection Express list if there is an update available online.

Copy
Update-PasswordPolicyBppExpressList [-DomainName <string>] [-Force <SwitchParameter>] [-TempFolder <string>]