Script Repository


Change Default Domain Password Policy

January 20, 2016
1507

This script changes the default password policy of an Active Directory domain.

Edit Remove
PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# TODO: modify me
$domain = "domain.com"
$maxPwdAgeDays = 55                 # Max password age (days)
$minPwdAgeDays = 5                  # Min password age (days)
$minPwdLen = 8                      # Min password length
$pwdComplexity = $True              # Password complexity
$pwdHistoryLen = 24                 # Password history length
$maxBadPasswordsAllowed = 15        # Lock account after N attempts
$lockoutObservationMins = 35        # Reset failed attempt counter after (minutes)
$lockoutDurationMins = 50           # Automatically unlock after (minutes)

# Bind to the domain
$domain = $admService.OpenObject("Adaxes://$domain", $NULL  $NULL, 0)


# Update the Defaut Domain Password Policy
[Softerra.Adaxes.Adsi.AdsLargeInteger]$maxAge = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$maxPwdAgeDays * 60 * 60 * 24 * -10000000)
$domain.Put("maxPwdAge", $maxAge)
[Softerra.Adaxes.Adsi.AdsLargeInteger]$minAge = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$minPwdAgeDays * 60 * 60 * 24 * -10000000)
$domain.Put("minPwdAge", $minAge)
$domain.MinPasswordLength = $minPwdLen

$passwordAttrs = 0 # PASSWORD_ATTR_NONE
if ($pwdComplexity)
{
    $passwordAttrs = $passwordAttrs -bor 1 # DOMAIN_PASSWORD_COMPLEX
}

$domain.Put("pwdProperties", $passwordAttrs)
$domain.PasswordHistoryLength = $pwdHistoryLen
$domain.MaxBadPasswordsAllowed = $maxBadPasswordsAllowed

[Softerra.Adaxes.Adsi.AdsLargeInteger]$lockoutWindow = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$lockoutObservationMins * 60 * -10000000)
$domain.Put("lockOutObservationWindow", $lockoutWindow)

[Softerra.Adaxes.Adsi.AdsLargeInteger]$autoUnlock = New-Object Softerra.Adaxes.Adsi.AdsLargeInteger([Int64]$lockoutDurationMins * 60 * -10000000)
$domain.Put("lockoutDuration", $autoUnlock)

# Commit changes
$domain.SetInfo()

Comments ( 0 )
No results found.
Leave a comment