This script changes the default password policy of an Active Directory domain.
PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")
# TODO: modify me
$domain = "domain.com"
$maxPwdAgeDays = 55 # Max password age (days)
$minPwdAgeDays = 5 # Min password age (days)
$minPwdLen = 8 # Min password length
$pwdComplexity = $True # Password complexity
$pwdHistoryLen = 24 # Password history length
$maxBadPasswordsAllowed = 15 # Lock account after N attempts
$lockoutObservationMins = 35 # Reset failed attempt counter after (minutes)
$lockoutDurationMins = 50 # Automatically unlock after (minutes)
# Bind to the domain
$domain = $admService.OpenObject("Adaxes://$domain", $NULL $NULL, 0)
# Update the Defaut Domain Password Policy
[Softerra.Adaxes.Adsi.AdsLargeInteger]$maxAge = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$maxPwdAgeDays * 60 * 60 * 24 * -10000000)
$domain.Put("maxPwdAge", $maxAge)
[Softerra.Adaxes.Adsi.AdsLargeInteger]$minAge = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$minPwdAgeDays * 60 * 60 * 24 * -10000000)
$domain.Put("minPwdAge", $minAge)
$domain.MinPasswordLength = $minPwdLen
$passwordAttrs = 0 # PASSWORD_ATTR_NONE
if ($pwdComplexity)
{
$passwordAttrs = $passwordAttrs -bor 1 # DOMAIN_PASSWORD_COMPLEX
}
$domain.Put("pwdProperties", $passwordAttrs)
$domain.PasswordHistoryLength = $pwdHistoryLen
$domain.MaxBadPasswordsAllowed = $maxBadPasswordsAllowed
[Softerra.Adaxes.Adsi.AdsLargeInteger]$lockoutWindow = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$lockoutObservationMins * 60 * -10000000)
$domain.Put("lockOutObservationWindow", $lockoutWindow)
[Softerra.Adaxes.Adsi.AdsLargeInteger]$autoUnlock = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$lockoutDurationMins * 60 * -10000000)
$domain.Put("lockoutDuration", $autoUnlock)
# Commit changes
$domain.SetInfo()