http://powershell.com/cs/search/SearchResults.aspx?q=(app:forums+OR+groupid:24)&tag=Active+Directory,Set-ADDefaultDomainPasswordPolicy&orTags=0&o=DateDescendingSearch results for '(app:forums OR groupid:24)' matching tags 'Active Directory' and 'Set-ADDefaultDomainPasswordPolicy'en-USCommunityServer 2008.5 (Build: 30929.2835)http://powershell.com/cs/forums/thread/8012.aspxWed, 27 Oct 2010 05:00:00 GMTf421715f-7aba-45f0-8a8d-44de5318a3a7:8012Aleksandar<p>If you have Windows Server 2008 R2 with Active Directory Domain Services role (and promoted to a domain controller) or a downlevel server with Active Directory Management Gateway Service (ADWS for Windows Server 2003 and Windows Server 2008), the easist way to change the default domain password policy is to use the&nbsp;Set-ADDefaultDomainPasswordPolicy cmdlet.</p> <p>First we need to load Active Directory module:</p> <p>PS C:\&gt; Import-Module ActiveDirectory</p> <p>Let&#39;s check the default domain password policy before a change:</p> <p>PS C:\&gt; Get-ADDefaultDomainPasswordPolicy -Identity test.local<br />ComplexityEnabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : True<br />DistinguishedName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : DC=test,DC=local<br /><strong>LockoutDuration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 00:30:00<br /></strong>LockoutObservationWindow&nbsp;&nbsp;&nbsp; : 00:30:00<br /><strong>LockoutThreshold&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0<br /></strong>MaxPasswordAge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 42.00:00:00<br />MinPasswordAge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1.00:00:00<br />MinPasswordLength&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 7<br />objectClass&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : {domainDNS}<br />objectGuid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : cf3b61ee-1a03-410e-9ecb-d5de33ea52ac<br />PasswordHistoryCount&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 24<br />ReversibleEncryptionEnabled : False</p> <p>This will set the default domain password policy for the current logged on user domain:</p> <p>PS C:\&gt; Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | Set-ADDefaultDomainPasswordPolicy -LockoutDuration 00:40:00 -LockoutThreshold 3</p> <p>Let&#39;s check the result:</p> <p>PS C:\&gt; Get-ADDefaultDomainPasswordPolicy | Format-List lockout*<br /><strong>LockoutDuration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 00:40:00<br /></strong>LockoutObservationWindow : 00:30:00<br /><strong>LockoutThreshold&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 3</strong></p> <p>Success. :)</p> <p>When Active Directory is not an option, and you need to use [ADSI] type accelerator, the following steps are the easiest:</p> <p># connect to a current domain; for a change, we&#39;ll use WinNT moniker<br />PS C:\&gt; $domain = [ADSI]&quot;WinNT://$env:userdomain&quot;</p> <p># set lockout threshold value<br />PS C:\&gt; $domain.MaxBadPasswordsAllowed = 0</p> <p># set lockout duration value (in seconds)<br />PS C:\&gt; $domain.AutoUnlockInterval = 1800</p> <p># commit the changes to Active Directory; we need access to a raw object to expose CommitChanges method, therefore we use <em>psbase</em> property<br />PS C:\&gt; $domain.psbase.commitchanges()</p> <p>Pipe $domain and $domain.psbase to Get-Member cmdlet to see the difference. $domain.psbase offers much more. :)</p> <p>Hope this helps,<br />@alexandair</p> <p>&nbsp;</p> <p>&nbsp;</p>