locked
Create Fine Grained Password Policy RRS feed

  • Question

  • Can anyone tell me how to create fine grained password policy with powershell? 
    Monday, October 9, 2017 6:35 AM

Answers

  • Hi,

    When you need to create something or you wondering how you can accomplish that, first use help or get-command to see what options and commands you can use.

    help Get-ADFineGrainedPasswordPolicy
    get-command *adFineGrainedPasswordPolicy*

    Example

    New-ADFineGrainedPasswordPolicy Test -Precedence 1 -ComplexityEnabled $true -PasswordHistoryCount 20 -MinPasswordLength 8
    You can use help New-ADFineGrainedPasswordPolicy to see the parameters you can use.




    Please remember to mark the replies as answers if they help.,

    NEDIMMEHIC.ORG


    • Edited by Nedim Mehic Monday, October 9, 2017 6:42 AM
    • Marked as answer by D-TOXXX Monday, October 9, 2017 11:47 AM
    Monday, October 9, 2017 6:42 AM
  • Get-help Add-ADFineGrainedPasswordPolicySubject

    Example

    Add-ADFineGrainedPasswordPolicySubject -Identity "Pass policy name" -Subjects "User or a group name"


    Please remember to mark the replies as answers if they help.,

    NEDIMMEHIC.ORG

    • Marked as answer by D-TOXXX Monday, October 9, 2017 11:47 AM
    Monday, October 9, 2017 7:07 AM
  • You can run for example,

    This command will give you Name ObjectClass DistinguishedName---- Under the Name you will see user name or a group name and under the object class it will show you if that is a user or group

    Get-ADFineGrainedPasswordPolicySubject -Identity <pass policy name> | FT Name,ObjectClass,DistinguishedName -AutoSize

    With this command you can get properties of the policy. It will show you applies to

    Get-ADFineGrainedPasswordPolicy 'CN=<policyname>,CN=Password Settings Container,CN=System,DC=domain,DC=com' -Properties *


    Please remember to mark the replies as answers if they help.,

    NEDIMMEHIC.ORG


    • Edited by Nedim Mehic Monday, October 9, 2017 7:35 AM
    • Marked as answer by D-TOXXX Monday, October 9, 2017 11:47 AM
    Monday, October 9, 2017 7:35 AM
  • msDS-ResultantPSO is the attribute that will be added to a user account, if a PSO is applied on that user.

    You can run this line to get the PSO that´s assigned to a user. Just replace OU DN with your OU/domain.

    Get-ADUser -filter * -searchbase "OU DN" -Properties msDS-ResultantPSO |select Name,msDS-ResultantPSO


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"



    • Edited by Tim Buntrock Monday, October 9, 2017 8:11 AM
    • Marked as answer by D-TOXXX Monday, October 9, 2017 11:47 AM
    Monday, October 9, 2017 8:09 AM

All replies

  • Thank you! I created one policy just to test how it works but when I ran Get-ADFineGrainedPasswordPolicy it says AppliesTo:{}. How can I assign this policy to my test users? 
    Monday, October 9, 2017 6:57 AM
  • Now I get it. I need to create 15 more for every department. Is there a way to check those polices or to see which groups is getting them -like policy 1 is applied to this users or groups or this user is getting this policy? 
    Monday, October 9, 2017 7:23 AM
  • msDS-ResultantPSO is the attribute that will be added to a user account, if a PSO is applied on that user.

    You can run this line to get the PSO that´s assigned to a user. Just replace OU DN with your OU/domain.

    Get-ADUser -filter * -searchbase "OU DN" -Properties msDS-ResultantPSO |select Name,msDS-ResultantPSO


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"



    • Edited by Tim Buntrock Monday, October 9, 2017 8:11 AM
    • Marked as answer by D-TOXXX Monday, October 9, 2017 11:47 AM
    Monday, October 9, 2017 8:09 AM