Apply a fine-grained password policy to one more users and groups.

      Add-ADFineGrainedPasswordPolicySubject [-Identity] ADFineGrainedPasswordPolicy
         [-Subjects] ADPrincipal[] [-AuthType {Negotiate | Basic}]
            [-Credential PSCredential] [-Partition string] [-PassThru]
               [-Server string] [-Confirm] [-WhatIf] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Identity ADFineGrainedPasswordPolicy
       Specify an AD fine-grained password policy object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: PasswordPolicyLevel1

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Partition string
       The distinguished name of an AD partition.
       The distinguished name must be one of the naming contexts on the current
       directory server. The cmdlet searches this partition to find the object defined by
       the -Identity parameter. 
       The following two examples show how to specify a value for this parameter.
          -Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
          -Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"

       In many cases, a default value will be used for -Partition if no value is specified.

       Returns the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples:  demo

   -Subjects ADPrincipal[]
       One or more users or groups by providing one of the following property values.
       To specify more than one user or group, use a comma-separated list.
          Distinguished Name (DN)
            Example: CN=MikeHsu,CN=Users,DC=corp,DC=SS64,DC=com
          GUID (objectGUID)
            Example: 592c3d2e-f64d-4d20-8a88-034d99485f20
          Security Identifier (objectSid)
            Example: S-1-5-21-3165297868-301267370-276410423-1103
          SAM Account Name (sAMAccountName)
            Example: MikeHsu

        The identifier in (parentheses) is the LDAP provider name.
        You can also provide objects to this parameter directly.

Get- ADFineGrainedPasswordPolicySubject gets the users and groups that are subject to a Fine-Grained Password Policy.

The -Identity parameter specifies the Fine Grained Password Policy. Identify a Fine-Grained Password Policyby its distinguished name, GUID or name. The -Identity parameter may also be set to a Fine Grained Password Policy object variable, or passed through the pipeline using for example Get-ADFineGrainedPasswordPolicy.


Apply the Fine-Grained Password Policy 'SS64PasswordSettings' to a Global Security Group 'Domain Users':

PS C:\> Add-ADFineGrainedPasswordPolicySubject SS64PasswordSettings -Subjects 'Domain Users'

Apply the Fine-Grained Password Policy 'SS64PasswordSettings' to two users, with SamAccountNames xiaoping,MikeHsu:

PS C:\> Add-ADFineGrainedPasswordPolicySubject SS64PasswordSettings -Subjects xiaoping,MikeHsu

Apply the Fine-Grained Password Policy 'SS64PasswordSettings' to the group SS64Group:

PS C:\> Add-ADFineGrainedPasswordPolicySubject SS64PasswordSettings -Subjects SS64Group

Apply the Fine-Grained Password Policy 'SS64PasswordSettings' to any user whose last name is Hsu:

PS C:\> Get-ADGroup -Filter {lastname -eq "Hsu"} | Add-ADFineGrainedPasswordPolicySubject SS64PasswordSettings

“Nothing can add more power to your life than concentrating all your energies on a limited set of targets” ~ Nido Qubein

Related PowerShell Cmdlets

Remove-adFineGrainedPasswordPolicySubject - Remove one or more users from a fine-grained policy.
- Get the users and groups to which a fine-grained policy is applied.

Copyright © 1999-2023
Some rights reserved