New-ADFineGrainedPasswordPolicy

Create a new AD fine-grained policy.

Syntax
      New-ADFineGrainedPasswordPolicy [-Name] string [-Precedence int]
         [-AuthType {Negotiate | Basic}] [-ComplexityEnabled bool]
            [-Credential PSCredential] [-Description string]
               [-DisplayName string] [-Instance ADFineGrainedPasswordPolicy]
                  [-LockoutDuration TimeSpan] [-Lockout ObservationWindow TimeSpan]
                     [-LockoutThreshold int] [-MaxPasswordAge TimeSpan]
                        [-MinPasswordAge TimeSpan] [-MinPasswordLength int]
                           [-OtherAttributes hashtable] [-PassThru] [-PasswordHistoryCount int]
                              [-ProtectedFromAccidentalDeletion bool]
                                 [-ReversibleEncryptionEnabled bool] [-Server string]
                                    [-Confirm] [-WhatIf] [CommonParameters]
Key
   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -ComplexityEnabled <System.Nullable[bool]>
       Whether password complexity is enabled for the password policy.
       If enabled, the password must contain two of the following three character types: 
          Uppercase characters (A, B, C, D, E, ...)
          Lowercase characters (a, b, c, d, e, ...)
          Numerals (0, 1, 2, 3, ...) 

       Values: $false or 0, $true or 1

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Description string
       A description of the object.
       The LDAP Display Name for this property is "description".

   -DisplayName string
       The display name of the object.
       The LDAP Display Name for this property is "displayName".

   -Instance ADFineGrainedPasswordPolicy
       An instance of a fine-grained password policy object to use as a template for a new AD
       fine-grained password policy object.

       Method 1: Use an existing fine-grained password policy object as a template for a new object. Retrieve an
       instance of an existing computer object with Get-ADFineGrainedPasswordPolicy. Then provide this object
       to the -Instance parameter of New-ADFineGrainedPasswordPolicy to create a new object.
       property values may also be overridden for the new object by setting the appropriate parameters. 

          $FGpwPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicy90
          New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $FGpwPolicyInstance -Precedence 600 -MaxPasswordAge "180" 

       Method 2: Create a new ADFineGrainedPasswordPolicy object and pass this object to the -Instance parameter
       of New-ADFineGrainedPasswordPolicy to create the new Policy object. 

          $FGpwPolicyInstance = new-object Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy
          $FGpwPolicyInstance.MaxPasswordAge = "180" 
          New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180"  -Instance $FGpwPolicyInstance

   -LockoutDuration TimeSpan
       The length of time that an account is locked after the number of failed login attempts
       exceeds the lockout threshold. You cannot login to an account that is locked until the
       lockout duration time period has expired.
       The LDAP display name for lockoutDuration is "msDS-LockoutDuration".

       The lockout duration must be greater than or equal to the lockout observation time
       for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. 

       Time interval format:
            [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Examples:
          Set the time to 2 days
            -LockoutDuration "2"
          Set the time to 4 hours
            -LockoutDuration "4:00"
          Set the time to 5 minutes
            -LockoutDuration "0:5"
          Set the time to 45 seconds
            LockoutDuration "0:0:45"

   -LockoutObservationWindow TimeSpan
       The maximum time interval between two unsuccessful login attempts before the number
       of unsuccessful login attempts is reset to 0.
       An account is locked when the number of unsuccessful login attempts exceeds the password
       policy lockout threshold.
       The LDAP Display Name of this property is "msDS-lockoutObservationWindow".

       The lockout observation window must be smaller than or equal to the lockout duration for a
       password policy. Use the LockoutDuration parameter to set the lockout duration time.

       Time interval format:
           [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807.

       Examples:
          Set the time to 2 days
            -LockoutObservationWindow "2"
          Set the time to 4 hours
            -LockoutObservationWindow "4:00"
          Set the time to 5 minutes
            -LockoutObservationWindow "0:5"
          Set the time to 45 seconds
            -LockoutObservationWindow "0:0:45"

    -LockoutThreshold int
       The number of unsuccessful login attempts that are permitted before an
       account is locked out. This number increases when the time between
       unsuccessful login attempts is less than the time specified for the
       lockout observation time window.

    -MaxPasswordAge TimeSpan
       The maximum length of time that you can have the same password.
       After this time period, the password expires and you must create a new one. 
        
       The LDAP Display Name for this property is "maxPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)
        
       Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807

       Examples:
          Set the time span to 2 days
            MaxPasswordAge "2"
          Set the time span to the previous 2 days
            MaxPasswordAge "-2"
          Set the time span to 4 hours
            MaxPasswordAge "4:00"
          Set the time span to 5 minutes
            MaxPasswordAge "0:5"
          Set the time span to 45 seconds
            MaxPasswordAge "0:0:45"

   -MinPasswordAge TimeSpan
       The minimum length of time before you can change a password.
       The LDAP Display Name for this property is "minPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.

       Examples
          Set the time span to 2 days
            -MinPasswordAge "2"
          Set the time span to 4 hours
            -MinPasswordAge "4:00"
          Set the time span to 5 minutes
            -MinPasswordAge "0:5"
          Set the time span to 45 seconds
            -MinPasswordAge "0:0:45"

   -MinPasswordLength int
       The minimum number of characters that a password must contain.

   -Name string
       The name of the object.
       The LDAP Display Name of this property is "name". 

   -OtherAttributes hashtable
        Specifies object attribute values for attributes that are not represented by cmdlet parameters.
        Syntax:
        To specify a single value:
           -OtherAttributes @{'AttributeLDAPDisplayName'=value}
        To specify multiple values
           -OtherAttributes @{'AttributeLDAPDisplayName'=value1,value2,...}

        e.g.:
           -OtherAttributes @{'ItemPrice'=123; 'favColors'="red","blue"}

   -PassThru
       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not 
       generate any output.

   -PasswordHistoryCount int
       The number of previous passwords to save.
       A user cannot reuse a password in the list of saved passwords.
       This parameter sets the PasswordHistoryCount property for a password policy. 

   -Precedence int
       A value that defines the precedence of a fine-grained password policy among
       all fine-grained password  policies. 
       The LDAP display name for this property is "msDS-PasswordSettingsPrecedence".

       This value determines which password policy to use when more than one password policy
       applies to a user or group. When there is a conflict, the password policy that has
       the lower Precedence property value has higher priority.
        
       Typically, password policy precedence values are assigned in multiples of 10 or 100, 
       making it easier to add policies at a later time.

       If the specified Precedence parameter is already assigned to another password policy object,
       the cmdlet returns a terminating error.

   -ProtectedFromAccidentalDeletion bool
       Whether to prevent the object from being deleted.
       When this property is set to true, you cannot delete the corresponding object without
       first changing the value of this property.
       Possible values: $false or 0, $true or 1

   -ReversibleEncryptionEnabled bool
       Whether the directory must store passwords using reversible encryption.
       Possible values: $false or 0, $true or 1 

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   -Confirm
       Prompt for confirmation before executing the command.

   -WhatIf
       Describe what would happen if you executed the command, without actually executing the command.

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

New-ADFineGrainedPasswordPolicy creates a new AD fine grained password policy. You can set commonly used fine grained password policy property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the -OtherAttributes parameter.

You must set the -Name and -Precedence parameters to create a new fine grained password policy.

The following methods explain different ways to create an object by using this cmdlet.

Method 1: Use New-ADFineGrainedPasswordPolicy, specify the required parameters, and set any additional property values by using the cmdlet parameters.

Method 2: Use a template to create the new object. To do this, create a new fine grained password policy object or retrieve a copy of an existing fine grained password policy object and set the -Instance parameter to this object. The object provided to the -Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters.

Method 3: Use Import-CSV with the New-ADFineGrainedPasswordPolicy cmdlet to create multiple AD fine grained password policy objects. To do this, use Import-CSV to create the custom objects from a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to New-ADFineGrainedPasswordPolicy to create the fine grained password policy objects.

Examples

Create a new Fine Grained Password Policy object named 'DomainUsersPSO' and set the Precedence, ComplexityEnabled, Description, DisplayName, LockoutDuration, LockoutObservationWindw, and LockoutThreshold properties on the object:

PS C:\> New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10

“I never had a policy; I have just tried to do my very best each and every day” ~ Abraham Lincoln

Related:

Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.
Remove-adFineGrainedPasswordPolicy - Remove an AD fine-grained password policy.
Set-adFineGrainedPasswordPolicy - Modify an AD fine-grained password policy.


© Copyright SS64.com 1999-2013
Some rights reserved