Set-ADDefaultDomainPasswordPolicy

Modify the default password policy for an Active Directory domain.

Syntax
      Set-ADDefaultDomainPasswordPolicy [-Identity] ADDefaultDomainPasswordPolicy
         [-AuthType {Negotiate | Basic}] [-ComplexityEnabled bool]
            [-Credential PSCredential] [-LockoutDuration TimeSpan]
               [-LockoutObservationWindow TimeSpan] [-LockoutThreshold int]
                  [-MaxPasswordAge TimeSpan] [-MinPasswordAge TimeSpan]
                     [-MinPasswordLength int] [-PassThru] [-PasswordHistoryCount int]
                        [-ReversibleEncryptionEnabled bool] [-Server string]
                           [-Confirm] [-WhatIf] [CommonParameters]

Key
   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -ComplexityEnabled bool
       Is password complexity enabled for this password policy?
       If enabled, the password must contain two of the following character types:
          Uppercase characters (A, B, C...)
          Lowercase characters (a, b, c...)
          Numerals (0,1,2,3,...)

       This parameter sets the ComplexityEnabled property of a password policy.

       values:
          $false or 0 - Password complexity disabled
          $true or 1  - Password complexity enabled

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Identity ADDefaultDomainPasswordPolicy
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -LockoutDuration TimeSpan
       The length of time that an account is locked after the number of failed login attempts
       exceeds the lockout threshold. You cannot login to an account that is locked until the
       lockout duration time period has expired.
       The LDAP display name for lockoutDuration is "msDS-LockoutDuration".

       The lockout duration must be greater than or equal to the lockout observation time
       for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. 

       Time interval format:
            [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Examples:
          Set the time to 2 days
            -LockoutDuration "2"
          Set the time to 4 hours
            -LockoutDuration "4:00"
          Set the time to 5 minutes
            -LockoutDuration "0:5"
          Set the time to 45 seconds
            LockoutDuration "0:0:45"

   -LockoutObservationWindow TimeSpan
       The maximum time interval between two unsuccessful login attempts before the number
       of unsuccessful login attempts is reset to 0.
       An account is locked when the number of unsuccessful login attempts exceeds the password
       policy lockout threshold.
       The LDAP Display Name of this property is "msDS-lockoutObservationWindow".

       The lockout observation window must be smaller than or equal to the lockout duration for a
       password policy. Use the LockoutDuration parameter to set the lockout duration time.

       Time interval format:
           [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807.

       Examples:
          Set the time to 2 days
            -LockoutObservationWindow "2"
          Set the time to 4 hours
            -LockoutObservationWindow "4:00"
          Set the time to 5 minutes
            -LockoutObservationWindow "0:5"
          Set the time to 45 seconds
            -LockoutObservationWindow "0:0:45"

    -LockoutThreshold int
       The number of unsuccessful login attempts that are permitted before an
       account is locked out. This number increases when the time between
       unsuccessful login attempts is less than the time specified for the
       lockout observation time window.

    -MaxPasswordAge TimeSpan
       The maximum length of time that you can have the same password.
       After this time period, the password expires and you must create a new one. 
        
       The LDAP Display Name for this property is "maxPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807

       Examples:
          Set the time span to 2 days
            MaxPasswordAge "2"
          Set the time span to the previous 2 days
            MaxPasswordAge "-2"
          Set the time span to 4 hours
            MaxPasswordAge "4:00"
          Set the time span to 5 minutes
            MaxPasswordAge "0:5"
          Set the time span to 45 seconds
            MaxPasswordAge "0:0:45"

   -MinPasswordAge TimeSpan
       The minimum length of time before you can change a password.
       The LDAP Display Name for this property is "minPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.

       Examples
          Set the time span to 2 days
            -MinPasswordAge "2"
          Set the time span to 4 hours
            -MinPasswordAge "4:00"
          Set the time span to 5 minutes
            -MinPasswordAge "0:5"
          Set the time span to 45 seconds
            -MinPasswordAge "0:0:45"

   -MinPasswordLength int
       The minimum number of characters that a password must contain.

   -PassThru
       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not 
       generate any output.

   -PasswordHistoryCount int
       The number of previous passwords to save.
       A user cannot reuse a password in the list of saved passwords.
       This parameter sets the PasswordHistoryCount property for a password policy. 

   -ReversibleEncryptionEnabled bool
       Whether the directory must store passwords using reversible encryption.
       This parameter sets the ReversibleEncryption property for a password policy.
       Values:
$false or 0
$true or 1 -Server string The AD Domain Services instance to connect to, this may be a Fully qualified domain name, NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance. Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268 -Confirm Prompt for confirmation before executing the command. -WhatIf Describe what would happen if you executed the command, without actually executing the command. CommonParameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable, -OutBuffer -OutVariable.

Set-ADDefaultDomainPasswordPolicy modifies the properties of the default password policy for a domain. The -Identity parameter specifies the domain whose default password policy is to be modified.

Examples

Set the default domain password policy for a given domain. Note: setting MaxPwdAge to 0 will convert it to 'never' (Int64.MinValue or -9223372036854775808 in the directory).:

PS C:\> Set-ADDefaultDomainPasswordPolicy -Identity SS64.com -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MaxPasswordAge 10.00:00:00

Set the default domain password policy for the current logged on user domain:

PS C:\> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | Set-ADDefaultDomainPasswordPolicy -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12

“All progress is based upon a universal innate desire on the part of every organism to live beyond its income” ~ Samuel Butler

Related:

Get-adDefaultDomainPasswordPolicy - Get the default password policy for an Active Directory domain.


© Copyright SS64.com 1999-2013
Some rights reserved