Determine the Default Password Policy for an Active Directory Domain with PowerShell

I’ve been working with PowerShell about a few years and every day I find cmdlets that I didn’t know they existed. A while ago I write some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar to what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

(([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)
).GPO.Computer.ExtensionData.Extension.Account |
Where-Object name -eq LockoutBadCount).SettingNumber

I recently discovered that there is a Get-ADDefaultDomainPasswordPolicy cmdlet that is part of the ActiveDirectory PowerShell module that also installs as part of the RSAT.

Get-ADDefaultDomainPasswordPolicy

You could select only the LockoutThreshold property to return the same results as shown in the first example:

(Get-ADDefaultDomainPasswordPolicy).LockoutThreshold

The default lockout threshold for active directory accounts is 0 which means they’re never locked out. That’s not good so it’s something you might want to consider adding to your operational readiness testing for your infrastructure. The following example is a Pester test that checks this setting and verifies that it’s not set to zero.

Describe 'LockoutThreshold' {
    It 'Should NOT be zero' {
        (Get-ADDefaultDomainPasswordPolicy).LockoutThreshold |
        Should Not Be 0
    }
}

Once you correct the problem by changing the account lockout threshold to a value greater than zero, the test should pass.

I like that Pester shows how long it took to execute the test. This tells me that using the Get-ADDefaultDomainPasswordPolicy is not only easier to use, but it’s also more efficient.

Describe 'LockoutThreshold' {
    It 'Should NOT be zero' {
        (([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)
        ).GPO.Computer.ExtensionData.Extension.Account |
        Where-Object name -eq LockoutBadCount).SettingNumber |
        Should Not Be 0
    }
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s