Thursday, February 24, 2011

Create a New Fine-Grained Password Policy

Create a New Fine-Grained Password Policy

This topic explains how to use the Active Directory module for Windows PowerShell to create a new fine-grained password policy.

Example 1

The following example demonstrates how to create a new fine-grained password policy for the domain users in the Fabrikam.com domain:
New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy"-DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "60.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false

Example 2

The following example is a sample script that demonstrates how to create a new fine-grained password policy from a template:
C#
$templatePSO = New-Object Microsoft.ActiveDirectory.Management.Commands.ADFineGrainedPasswordPolicy
$templatePSO.ComplexityEnabled = $true
$templatePSO.LockoutDuration = [TimeSpan]::Parse("0.12:00:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutThreshold = 10
$templatePSO.MinPasswordAge = [TimeSpan]::Parse("0.00:10:00")
$templatePSO.PasswordHistoryCount = 24
$templatePSO.ReversibleEncryptionEnabled = $false
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "SvcAccPSO" -Precedence 100 -Description "The Service Accounts Password Policy" -DisplayName "Service Accounts PSO" -MaxPasswordAge "30.00:00:00" -MinPasswordLength 20
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "AdminsPSO" -Precedence 200 -Description "The Domain Administrators Password Policy" -DisplayName "Domain Administrators PSO" -MaxPasswordAge "15.00:00:00" -MinPasswordLength 10

Additional information

You can use the following parameters when you set many of the common values that are associated with the creation of a new fine-grained password policy:
  • -ComplexityEnabled
  • -Description
  • -DisplayName
  • -LockoutDuration
  • -LockoutObservationWindow
  • -LockoutThreshold
  • -MaxPasswordAge
  • -MinPasswordAge
  • -MinPasswordLength
  • -PasswordHistoryCount
  • -ReversibleEncryptionEnabled
For a full explanation of the parameters that you can pass to New-ADFineGrainedPasswordPolicy, at the Active Directory module command prompt, type Get-Help New-ADFineGrainedPasswordPolicy –detailed, and then press ENTER.

No comments:

Post a Comment