Create a new AD fine-grained policy.
Syntax
New-ADFineGrainedPasswordPolicy [-Name] string [-Precedence int]
[-AuthType {Negotiate | Basic}] [-ComplexityEnabled bool]
[-Credential PSCredential] [-Description string]
[-DisplayName string] [-Instance ADFineGrainedPasswordPolicy]
[-LockoutDuration TimeSpan] [-Lockout ObservationWindow TimeSpan]
[-LockoutThreshold int] [-MaxPasswordAge TimeSpan]
[-MinPasswordAge TimeSpan] [-MinPasswordLength int]
[-OtherAttributes hashtable] [-PassThru] [-PasswordHistoryCount int]
[-ProtectedFromAccidentalDeletion bool]
[-ReversibleEncryptionEnabled bool] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-ComplexityEnabled <System.Nullable[bool]>
Whether password complexity is enabled for the password policy.
If enabled, the password must contain two of the following three character types:
Uppercase characters (A, B, C, D, E, ...)
Lowercase characters (a, b, c, d, e, ...)
Numerals (0, 1, 2, 3, ...)
Values: $false or 0, $true or 1
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Description string
A description of the object.
The LDAP Display Name for this property is "description".
-DisplayName string
The display name of the object.
The LDAP Display Name for this property is "displayName".
-Instance ADFineGrainedPasswordPolicy
An instance of a fine-grained password policy object to use as a template for a new AD
fine-grained password policy object.
Method 1: Use an existing fine-grained password policy object as a template for a new object. Retrieve an
instance of an existing computer object with Get-ADFineGrainedPasswordPolicy. Then provide this object
to the -Instance parameter of New-ADFineGrainedPasswordPolicy to create a new object.
property values may also be overridden for the new object by setting the appropriate parameters.
$FGpwPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicy90
New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $FGpwPolicyInstance -Precedence 600 -MaxPasswordAge "180"
Method 2: Create a new ADFineGrainedPasswordPolicy object and pass this object to the -Instance parameter
of New-ADFineGrainedPasswordPolicy to create the new Policy object.
$FGpwPolicyInstance = new-object Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy
$FGpwPolicyInstance.MaxPasswordAge = "180"
New-ADFineGrainedPasswordPolicy -Name "PasswordPolicy180" -Instance $FGpwPolicyInstance
-LockoutDuration TimeSpan
The length of time that an account is locked after the number of failed login attempts
exceeds the lockout threshold. You cannot login to an account that is locked until the
lockout duration time period has expired.
The LDAP provider name for lockoutDuration is "msDS-LockoutDuration".
The lockout duration must be greater than or equal to the lockout observation time
for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time.
Time interval format: see below
-LockoutObservationWindow TimeSpan
The maximum time interval between two unsuccessful login attempts before the number
of unsuccessful login attempts is reset to 0.
An account is locked when the number of unsuccessful login attempts exceeds the password
policy lockout threshold.
The LDAP provider Name of this property is "msDS-lockoutObservationWindow".
The lockout observation window must be smaller than or equal to the lockout duration for a
password policy. Use the LockoutDuration parameter to set the lockout duration time.
Time interval format: see below
-LockoutThreshold int
The number of unsuccessful login attempts that are permitted before an
account is locked out. This number increases when the time between
unsuccessful login attempts is less than the time specified for the
lockout observation time window.
-MaxPasswordAge TimeSpan
The maximum length of time that you can have the same password.
After this time period, the password expires and you must create a new one.
The LDAP provider Name for this property is "maxPwdAge".
Time interval format: see below
-MinPasswordAge TimeSpan
The minimum length of time before you can change a password.
The LDAP provider Name for this property is "minPwdAge".
Time interval format: see below
-MinPasswordLength int
The minimum number of characters that a password must contain.
-Name string
The name of the object.
The LDAP provider Name of this property is "name".
-OtherAttributes hashtable
Specifies object attribute values for attributes that are not represented by cmdlet parameters.
Syntax:
To specify a single value:
-OtherAttributes @{'AttributeLDAPName'=value}
To specify multiple values
-OtherAttributes @{'AttributeLDAPName'=value1,value2,...}
e.g.:
-OtherAttributes @{'ItemPrice'=123; 'favColors'="red","blue"}
-PassThru
Returns the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not
generate any output.
-PasswordHistoryCount int
The number of previous passwords to save.
A user cannot reuse a password in the list of saved passwords.
This parameter sets the PasswordHistoryCount property for a password policy.
-Precedence int
A value that defines the precedence of a fine-grained password policy among
all fine-grained password policies.
The LDAP provider name for this property is "msDS-PasswordSettingsPrecedence".
This value determines which password policy to use when more than one password policy
applies to a user or group. When there is a conflict, the password policy that has
the lower Precedence property value has higher priority.
Typically, password policy precedence values are assigned in multiples of 10 or 100,
making it easier to add policies at a later time.
If the specified Precedence parameter is already assigned to another password policy object,
the cmdlet returns a terminating error.
-ProtectedFromAccidentalDeletion bool
Whether to prevent the object from being deleted.
When this property is set to true, you cannot delete the corresponding object without
first changing the value of this property.
Possible values: $false or 0, $true or 1
-ReversibleEncryptionEnabled bool
Whether the directory must store passwords using reversible encryption.
Possible values: $false or 0, $true or 1
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
Time Interval format:
[-]D.H:M:S.F
where:
[-] = Specifies a negative time interval
D = Days (0 to 10675199)
H = Hours (0 to 23)
M = Minutes (0 to 59)
S = Seconds (0 to 59)
F= Fractions of a second (0 to 9999999) aka 'Ticks'
and the accepted inputs are:
D.H:M:S.F = Days.Hours:Minutes:seconds.milliseconds.
D.H:M:S = Days.Hours:Minutes:seconds
D = Days [this only works if the value is a string]
H:M:S = Hours:Minutes:seconds
F = Milliseconds. [Integer value]
Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807
which is roughly +/- 29,000 years
Examples:
Set the time span to 2 days
MaxPasswordAge "2"
Set the time span to the previous 2 days
MaxPasswordAge "-2"
Set the time span to 4 hours
MaxPasswordAge "4:00"
Set the time span to 5 minutes
MaxPasswordAge "0:5"
Set the time span to 45 seconds
MaxPasswordAge "0:0:45"
New-ADFineGrainedPasswordPolicy creates a new AD fine grained password policy. You can set commonly used fine grained password policy property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be set by using the -OtherAttributes parameter.
You must set the -Name and -Precedence parameters to create a new fine grained password policy.
The following methods explain different ways to create an object by using this cmdlet.
Method 1: Use New-ADFineGrainedPasswordPolicy, specify the required parameters, and set any additional property values by using the cmdlet parameters.
Method 2: Use a template to create the new object. To do this, create a new fine grained password policy object or
retrieve a copy of an existing fine grained password policy object and set the -Instance parameter to this object. The object provided to the -Instance parameter is used as a template for the new object. You can override property values from the template by setting cmdlet parameters.
Method 3: Use Import-CSV with the New-ADFineGrainedPasswordPolicy cmdlet to create multiple AD fine grained password policy objects. To do this, use Import-CSV to create the custom objects from
a comma-separated value (CSV) file that contains a list of object properties. Then pass these objects through the pipeline to New-ADFineGrainedPasswordPolicy to create the fine grained password policy objects.
Create a new Fine Grained Password Policy object named 'DomainUsersPSO' and set the Precedence, ComplexityEnabled, Description, DisplayName, LockoutDuration, LockoutObservationWindw, and LockoutThreshold properties on the object:
$pwpol = @{
Name = "DomainUsersPSO"
Precedence = 500
ComplexityEnabled = $true
Description = "The Domain Users Password Policy"
DisplayName = "Domain Users PSO"
LockoutDuration = "0.12:00:00"
LockoutObservationWindow = "0.00:15:00"
LockoutThreshold = 10
}
ADFineGrainedPasswordPolicy @pwpol
“I never had a policy; I have just tried to do my very best each and every day” ~ Abraham Lincoln
Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.
Remove-adFineGrainedPasswordPolicy - Remove an AD fine-grained password policy.
Set-adFineGrainedPasswordPolicy - Modify an AD fine-grained password policy.