Set-ADFineGrainedPasswordPolicy

Modify an AD fine-grained password policy.

Syntax
      Set-ADFineGrainedPasswordPolicy [-Identity] ADFineGrainedPasswordPolicy 
         [-Add hashtable] [-Clear string[]] [-ComplexityEnabled bool]
            [-Description string] [-DisplayName string] [-LockoutDuration TimeSpan]
               [-LockoutObservationWindow TimeSpan] [-LockoutThreshold int]
                  [-MaxPasswordAge TimeSpan] [-MinPasswordAge TimeSpan]
                     [-MinPasswordLength int] [-PasswordHistoryCount int]
                        [-Precedence int] [-ProtectedFromAccidentalDeletion bool]
                           [-Remove hashtable] [-Replace hashtable]
                              [-ReversibleEncryptionEnabled bool]
                                 [-AuthType {Negotiate | Basic}]
                                    [-Credential PSCredential] [-PassThru] [-Server string]
                                       [-Confirm] [-WhatIf] [CommonParameters]

      Set-ADFineGrainedPasswordPolicy -Instance ADFineGrainedPasswordPolicy 
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-PassThru] [-Server string] [-Confirm] [-WhatIf] [CommonParameters]

Key
   -Add hashtable
       Specify values to add to an object property.
       Use this parameter to add one or more values to a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
       Specify multiple values to a property by specifying a comma-separated list of values
       and more than one property by separating them using a semicolon.
       The format for this parameter is 

          -Add @{Attribute1LDAPDisplayName=value1, value2, ...;
                 Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...}

        For example, to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333
        " to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Pho
        ne-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows.

          -Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='
        555-222-2222'}

        When you use the -Add, -Remove, -Replace and -Clear parameters together, the operations will be
        performed in the order: Remove, then Add, then Replace, then clear.

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Clear string[]
       An array of object properties that will be cleared in the directory.
       Use this parameter to clear one or more values of a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
       Modify more than one property by specifying a comma-separated list.
       The format for this parameter is
          -Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName

       For example, to clear the value for the Phone-Office-Other attribute
       (LDAP display name 'otherTelephone') set the Clear parameter as follows.

          -Clear otherTelephone

   -ComplexityEnabled <System.Nullable[bool]>
       Whether password complexity is enabled for the password policy.
       If enabled, the password must contain two of the following three character types: 
          Uppercase characters (A, B, C, D, E, ...)
          Lowercase characters (a, b, c, d, e, ...)
          Numerals (0, 1, 2, 3, ...)

       Values: $false or 0, $true or 1

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Description string
       A description of the object.
       The LDAP Display Name for this property is "description".

   -DisplayName string
       The display name of the object.
       The LDAP Display Name for this property is "displayName".

   -Identity ADFineGrainedPasswordPolicy
       Specify an AD fine-grained password policy object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: PasswordPolicyLevel1

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Instance ADFineGrainedPasswordPolicy
       An instance of a fine-grained password policy object to use to update the actual AD
       fine-grained password policy object.

       When this parameter is used, any modifications made to the modified copy 
       of the object are also made to the corresponding Active Directory object.
       The cmdlet only updates the object properties that have changed.

       The Instance parameter can only update fine-grained password policy objects that have
       been retrieved by using Get-ADFineGrainedPasswordPolicy.
       When you specify the Instance parameter, you cannot specify other parameters that
       set properties on the object.

       The following is an example of how to use Get-ADFineGrainedPasswordPolicy to
       retrieve, modify and save an instance of the ADFineGrainedPasswordPolicy object.

       Step 1: Retrieve a local instance of the object.
            $fgPwPolicyInstance = Get-ADFineGrainedPasswordPolicy  -Identity PasswordPolicyLevel2

       Step 2: Modify one or more properties of the object instance.
            $fgPwPolicyInstance.Precedence = 250

       Step3: Save the changes
            Set-ADFineGrainedPasswordPolicy -Instance $fgPwPolicyInstance

   -LockoutDuration TimeSpan
       The length of time that an account is locked after the number of failed login attempts
       exceeds the lockout threshold. You cannot login to an account that is locked until the
       lockout duration time period has expired.
       The LDAP display name for lockoutDuration is "msDS-LockoutDuration".

       The lockout duration must be greater than or equal to the lockout observation time
       for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time. 

       Time interval format:
            [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Examples:
          Set the time to 2 days
            -LockoutDuration "2"
          Set the time to 4 hours
            -LockoutDuration "4:00"
          Set the time to 5 minutes
            -LockoutDuration "0:5"
          Set the time to 45 seconds
            LockoutDuration "0:0:45"

   -LockoutObservationWindow TimeSpan
       The maximum time interval between two unsuccessful login attempts before the number
       of unsuccessful login attempts is reset to 0.
       An account is locked when the number of unsuccessful login attempts exceeds the password
       policy lockout threshold.
       The LDAP Display Name of this property is "msDS-lockoutObservationWindow".

       The lockout observation window must be smaller than or equal to the lockout duration for a
       password policy. Use the LockoutDuration parameter to set the lockout duration time.

       Time interval format:
           [-]D.H:M:S.F
       where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

       Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807.

       Examples:
          Set the time to 2 days
            -LockoutObservationWindow "2"
          Set the time to 4 hours
            -LockoutObservationWindow "4:00"
          Set the time to 5 minutes
            -LockoutObservationWindow "0:5"
          Set the time to 45 seconds
            -LockoutObservationWindow "0:0:45"

    -LockoutThreshold int
       The number of unsuccessful login attempts that are permitted before an
       account is locked out. This number increases when the time between
       unsuccessful login attempts is less than the time specified for the
       lockout observation time window.

    -MaxPasswordAge TimeSpan
       The maximum length of time that you can have the same password.
       After this time period, the password expires and you must create a new one. 
        
       The LDAP Display Name for this property is "maxPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)
        
       Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807

       Examples:
          Set the time span to 2 days
            MaxPasswordAge "2"
          Set the time span to the previous 2 days
            MaxPasswordAge "-2"
          Set the time span to 4 hours
            MaxPasswordAge "4:00"
          Set the time span to 5 minutes
            MaxPasswordAge "0:5"
          Set the time span to 45 seconds
            MaxPasswordAge "0:0:45"
        
   -MinPasswordAge TimeSpan
       The minimum length of time before you can change a password.
       The LDAP Display Name for this property is "minPwdAge".

       Time interval format:
           [-]D.H:M:S.F
       where:
              [-] = Specifies a negative time interval
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)
        
       Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.

       Examples
          Set the time span to 2 days
            -MinPasswordAge "2"
          Set the time span to 4 hours
            -MinPasswordAge "4:00"
          Set the time span to 5 minutes
            -MinPasswordAge "0:5"
          Set the time span to 45 seconds
            -MinPasswordAge "0:0:45"

   -MinPasswordLength int
       The minimum number of characters that a password must contain.

   -PassThru
       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not 
       generate any output.

   -PasswordHistoryCount int
       The number of previous passwords to save.
       A user cannot reuse a password in the list of saved passwords.
       This parameter sets the PasswordHistoryCount property for a password policy. 

   -Precedence int
       A value that defines the precedence of a fine-grained password policy among
       all fine-grained password  policies. 
       The LDAP display name for this property is "msDS-PasswordSettingsPrecedence".

       This value determines which password policy to use when more than one password policy
       applies to a user or group. When there is a conflict, the password policy that has
       the lower Precedence property value has higher priority.
        
       Typically, password policy precedence values are assigned in multiples of 10 or 100, 
       making it easier to add policies at a later time.

       If the specified Precedence parameter is already assigned to another password policy object,
       the cmdlet returns a terminating error.

   -ProtectedFromAccidentalDeletion bool
       Whether to prevent the object from being deleted.
       When this property is set to true, you cannot delete the corresponding object without
       first changing the value of this property.
       Possible values: $false or 0, $true or 1

   -Remove hashtable
       Remove values of an object property.
       Use this parameter to remove one or more values of a property that cannot be modified
       using a cmdlet parameter. To remove an object property, you must use the LDAP display name.
       You can remove more than one property by specifying a semicolon-separated list.
       The format for this parameter is 
          -Remove @{Attribute1LDAPDisplayName=value[];   Attribute2LDAPDisplayName=value[]}
        
       For example, to add the values blue and green and remove the value pink from a property with a LDAP
       display name of FavColors, set the Add and Remove parameters as follows.
          -Add @{FavColors=Blue,Green} -Remove {FavColors=Pink}
        
   -Replace hashtable
       Specify values for an object property that will replace the current values.
       Use this parameter to replace one or more values of a property that cannot be modified
       using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
       You can modify more than one property by specifying a comma-separated list. 
       The format for this parameter is 
          -Replace @{Attribute1LDAPDisplayName=value[],   Attribute2LDAPDisplayName=value[]}

   -ReversibleEncryptionEnabled bool
       Whether the directory must store passwords using reversible encryption.
       Possible values: $false or 0, $true or 1 

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

   -Confirm
       Prompt for confirmation before executing the command.

   -WhatIf
       Describe what would happen if you executed the command, without actually executing the command.

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Set-ADFineGrainedPasswordPolicy modifies the properties of an AD fine grained password policy. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the -Add, -Replace, -Clear and -Remove parameters.

The -Identity parameter specifies the AD fine grained password policy to modify. Identify a fine grained password policy by its distinguished name (DN), GUID or name. Alternatively set the -Identity parameter to an object variable or through the pipeline. For example, with Get-adFineGrainedPasswordPolicy

The -Instance parameter provides a way to update a fine grained password policy object by applying the changes made to a copy of the object. When a copy of an AD fine grained password policy object has been modified, Set-ADFineGrainedPasswordPolicy may be used to save the changes back to the original object. To get a copy of the object to modify, use Get-adFineGrainedPasswordPolicy.

The -Identity parameter is not allowed when you use the -Instance parameter. For more information see help about_ActiveDirectory_Instance

Examples

Set the MinPasswordLength property on the FineGrainedPasswordPolicy object with DistinguishedName CN=MyPolicy,CN=Password Settings Container,CN=System,DC=ss64,DC=com.:

PS C:\> Set-ADFineGrainedPasswordPolicy 'CN=MyPolicy,CN=Password Settings Container,CN=System,DC=ss64,DC=com' -MinPasswordLength 12

Update multiple properties on the FineGrainedPasswordPolicy object with name 'MyPolicy':

PS C:\> Set-ADFineGrainedPasswordPolicy MyPolicy -Precedence 100 -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12

Modify the Precedence property for the Level3Policy fine grained password policy by using the PowerShell command line to modify a local instance of the Level3Policyfine grained password policy. Then set the Instance parameter to the local instance.

PS C:\> $FGPwPolicy = Get-ADFineGrainedPasswordPolicy Level3Policy
PS C:\> $FGPwPolicy.Precedence = 150
PS C:\> Set-ADFineGrainedPasswordPolicy -Instance $FGPwPolicy

“I changed all my passwords to 'incorrect'. So my computer just tells me when I forget” ~ Unknown

Related:

Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.
New-adFineGrainedPasswordPolicy - Create a new AD fine-grained policy
Remove-adFineGrainedPasswordPolicy - Remove an AD fine-grained password policy


© Copyright SS64.com 1999-2013
Some rights reserved