Get-ADFineGrainedPasswordPolicy

Get one or more AD fine grained password policies.

Syntax
      Get-ADFineGrainedPasswordPolicy [-Identity] ADFineGrainedPasswordPolicy
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
           [-Properties string[]] [-Server string] [CommonParameters]

      Get-ADFineGrainedPasswordPolicy -Filter string [-ResultPageSize <int>]
         [-ResultSetSize Int32]>] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}] [-AuthType {Negotiate | Basic}]
               [-Credential PSCredential] [-Properties string[]]
                  [-Server string] [CommonParameters]

      Get-ADFineGrainedPasswordPolicy -LDAPFilter string [-ResultPageSize int]
         [-ResultSetSize Int32>] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}] [-AuthType {Negotiate | Basic}]
               [-Credential PSCredential] [-Properties string[]]
                  [-Server string] [CommonParameters]

Key
   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Filter string
       A query string that retrieves Active Directory objects.
       This string uses the PowerShell Expression Language syntax:

       filter ::= "{" FilterComponentList"}"
       FilterComponentList ::= FilterComponent | FilterComponent JoinOperator FilterComponent | NotOperator FilterComponent
       FilterComponent ::= attr FilterOperator value | "(" FilterComponent")"
       FilterOperator ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"
       JoinOperator ::= "-and" | "-or"
       NotOperator ::= "-not"
       attr ::= PropertyName | LDAP_Name_of_the_attribute
       value::= <compare this value with an attr by using the specified FilterOperator>

   -Identity ADFineGrainedPasswordPolicy
       Specify an AD fine-grained password policy object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: PasswordPolicyLevel1

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -LDAPFilter string
       An LDAP query string that is used to filter AD objects.
       Use this parameter to run existing LDAP queries. 
       See also Help about_ActiveDirectory_Filter.

       For example to search an OU for names beginning with "sara".
       -LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=demo,DC=SS64,DC=com"

   -Properties string[]
       The properties of the output object to retrieve from the server (comma-separated list).
       Use this parameter to retrieve properties that are not included in the default set.

       To display all of the attributes that are set on the object, specify * (asterisk).

       Specify the property Name or for non default/extended properties, the LDAP provider Name of the attribute.

   -ResultPageSize int
       The number of objects to include in each page for an AD Domain Services query.
       default = 256

   -ResultSetSize Int32
       The maximum number of objects to return for an AD Domain Services query.
       To receive all objects, set this to $null. Ctrl+c will stop the query and return of objects.
       default = $null.

   -SearchBase string
       An Active Directory path to search under.
       e.g.
       -SearchBase "ou=training,dc=demo,dc=ss64,dc=com"

   -SearchScope
       The scope of an AD search.
       Possible values for this parameter are:
       Base or 0        Search only the current path or object.
       OneLevel or 1    Search the immediate children
       Subtree or 2     Search the current path/object and all children

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples: demo.SS64.com  demo  demoDC02.demo.ss64.com  demoDC02.demo.ss64.com:3268

Get-ADFineGrainedPasswordPolicy gets a fine grained password policy or performs a search to retrieve multiple fine grained password policies.

The -Identity parameter specifies the AD fine grained password policy to get. Identify a fine grained password policy by its distinguished name (DN), GUID or name. Alternatively set the parameter to a fine grained password policy object variable, or through the PowerShell pipeline.

To search for and retrieve more than one fine grained password policies, use the -Filter or -LDAPFilter parameters. The -Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. For more information about the Filter parameter syntax, see help about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the -LDAPFilter parameter.

This cmdlet retrieves a default set of fine grained password policy object properties. To retrieve additional properties use the -Properties parameter.

Examples

Get the Fine Grained Password Policy named 'SS64':

PS C:\> Get-ADFineGrainedPasswordPolicy SS64

Get all Fine Grained Password Policies and display their name, precedence and password settings:

PS C:\> Get-ADFineGrainedPasswordPolicy -Filter {Name -like "*"} | Format-Table Name, Precedence,MaxPasswordAge,MinPasswordLength -A

Get all the properties for the Fine Grained Password Policy with DistinguishedName 'CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=SS64,DC=com'

PS C:\> Get-ADFineGrainedPasswordPolicy 'CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=SS64,DC=com' -Properties *

Get all the Fine Grained Password Policy object that have a name that begins with admin:

PS C:\> Get-ADFineGrainedPasswordPolicy -Filter {name -like "*admin*"}

“One of the most wonderful things in nature is a glance of the eye; it transcends speech; it is the bodily symbol of identity” ~ Ralph Waldo Emerson

Related PowerShell Cmdlets

Set-adFineGrainedPasswordPolicy - Modify an AD fine-grained password policy.