Using Get-ADDefaultDomainPasswordPolicy Cmdlet
The Get-ADDefaultDomainPasswordPolicy is used to get the default password policy for the specified domain. We can use it differently in different use cases; let’s learn a few of them below.
Use the Get-ADDefaultDomainPasswordPolicy cmdlet with the -Current parameter to get the default password policy for the currently logged-on user in an active directory. Here, the user can be an Administrator or any XYZ name.
Get-ADDefualtDomainPasswordPolicy -Current LoggedOnUser
ComplexityEnabled : True
DistuniguishedName : DC=maslab,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 574e7bd0-a042-45d2-8fdd-00ca4cb0a769
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
Alternatively, we can use the Get-ADDefualtDomainPasswordPolicy cmdlet alone to retrieve the default password policy from the currently logged-on user domain.
Use the Get-ADDefaultDomainPasswordPolicy cmdlet with the -Identity parameter to get the default password policy for the specified domain in an active directory; in our case, it is maslab.com.
Get-ADDefaultDomainPasswordPolicy -Identity maslab.com
ComplexityEnabled : True
DistuniguishedName : DC=maslab,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 574e7bd0-a042-45d2-8fdd-00ca4cb0a769
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
Use Get-ADForest with Get-ADDefaultDomainPasswordPolicy
Use the Get-ADForest cmdlet along with the Get-ADDefaultDomainPasswordPolicy cmdlet to retrieve default password policy objects from all domains in the specified forest.
(Get-ADForest -Current LoggedOnUser).Domains |
ForEach-Object{
Get-ADDefaultDomainPasswordPolicy -Identity $_
}
ComplexityEnabled : True
DistuniguishedName : DC=maslab,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 574e7bd0-a042-45d2-8fdd-00ca4cb0a769
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
First, we used the Get-ADForest cmdlet to retrieve details about a current Active Directory forest using the domain of a currently logged-on user. You might be thinking that how this cmdlet would know about logged-on users. It was because we specified the -Current parameter and set its value to the LoggedOnUser. This cmdlet got the forest object containing the forest name, forest functional level, domain names, etc.
Then, we used the .Domain property to get all domains in the current Active Directory forest, which was then piped to the ForEach-Object cmdlet. The ForEach-Object cmdlet iterated over all the objects. In each iteration, we used the Get-ADDefaultDomainPasswordPolicy cmdlet with the -Identity parameter to get the password policy for the current object ($_).
We got the same output because we have one domain forest (maslab.com) in our case.
Use Get-ADUser with Get-ADDefaultDomainPasswordPolicy
Use the Get-ADUser cmdlet with the Get-ADDefaultDomainPasswordPolicy cmdlet to retrieve the detailed password policy for the specified user in the active directory.
$user_name = "Administrator"
$user = Get-ADUser -Identity $user_name -Properties *
$domain_policy = Get-ADDefaultDomainPasswordPolicy
$password_policy_for_one_user = @{
"Password Never Expires" = $user.PasswordNeverExpires
"Password Last Set" = $user.PasswordLastSet
"Password Expired" = $user.PasswordExpired
"Minimum Password Length" = $domain_policy.MinPasswordLength
"Minimum Password Age" = $domain_policy.MinPasswordAge
"Maximum Password Age" = $domain_policy.MaxPasswordAge
"Password Complexity" = $domain_policy.ComplexityEnabled
"Password HistoryCount" = $domain_policy.HistoryLength
"Lockout Threshold" = $domain_policy.LockoutThreshold
"Lockout Duration" = $domain_policy.LockoutDuration
}
$password_policy_for_one_user
Name Value
---- -----
"Lockout Duration" 00:30:00
"Password Last Set" 7/16/2023 4:35:46 PM
"Minimum Password Length" 7
"Password Expired" False
"Password Complexity" True
"Lockout Threshold" 0
"Minimum Password Age" 1.00:00:00
"Maximum Password Age" 42.00:00:00
"Password History Count" {}
"Password Never Expires" False
First, we initialized the $user_name variable with the Administrator; don’t forget to replace the Administrator with your username. Then, we used the Get-ADUser cmdlet with -Identity parameter to retrieve the user from the active directory and stored it in the $user variable; this $user would have all the properties because we set the -Properties parameter to the wildcard character (*) to retrieve all properties.
Next, we used the Get-ADDefaultDomainPasswordPolicy cmdlet to get the default password policy and assigned it to the $domain_policy variable. After that, we create a HashTable to set the keys with corresponding values. We stored this HashTable in the $password_policy_for_one_user variable to further display it on the PowerShell console.
Do we have any option to use calculated properties to meet the project needs; for instance, if we want to know the Password Age meaning the time since the last password was changed? Yes, of course! See the following example.
Use the Get-ADUser cmdlet with the Get-ADDefaultDomainPasswordPolicy cmdlet to display calculated properties for the mentioned user in the active directory.
$user_name = "Administrator"
$user = Get-ADUser -Identity $user_name -Properties *
$domain_policy = Get-ADDefaultDomainPasswordPolicy
$password_age = (Get-Date) - $user.PasswordLastSet
$password_age_days = $password_age.TotalDays
$password_policy_for_one_user = @{
"Password Never Expires" = $user.PasswordNeverExpires
"Password Last Set" = $user.PasswordLastSet
"Password Age Days" = $password_age_days
"Password Expired" = $user.PasswordExpired
"Minimum Password Length" = $domain_policy.MinPasswordLength
"Minimum Password Age" = $domain_policy.MinPasswordAge
"Maximum Password Age" = $domain_policy.MaxPasswordAge
"Password Complexity" = $domain_policy.ComplexityEnabled
"Password HistoryCount" = $domain_policy.HistoryLength
"Lockout Threshold" = $domain_policy.LockoutThreshold
"Lockout Duration" = $domain_policy.LockoutDuration
}
$password_policy_for_one_user
Name Value
---- -----
"Lockout Duration" 00:30:00
"Password Last Set" 7/16/2023 4:35:46 PM
"Minimum Password Length" 7
"Password Expired" False
"Password Complexity" True
"Lockout Threshold" 0
"Password Age Days" 0.293340765600694
"Minimum Password Age" 1.00:00:00
"Maximum Password Age" 42.00:00:00
"Password History Count" {}
"Password Never Expires" False
Using net accounts Command
Use the net accounts command to get password policy details on the local computer.
net accounts
Force user logoff how long after time expires?: Never Minimum password age (days): 1 Maximum password age (days): 42 Minimum password length: 7 Length of password history maintained: 24 Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: PRIMARY The command completed successfully.
Further reading:
PowerShell Get Password Expiration Date
PowerShell Get Ad User Account Expiration Date
Using Group Policy Management Editor
To use the group policy management editor, follow the given steps:
Step 1: Open group policy management editor.
Step 2: Navigate to the Default Domain Policy. Right-click on it and select Edit.
Step 3: Navigate to the Password Policy as shown in the following screenshot. You will find the password policy on the left hand (see box number 2). Double-click on any property in the box-2 to edit the details (if you want).
That’s all about how to get password policy for user in active directory in PowerShell.
