ad password policy fine grained, determining who is subject to which policy

I've ran ad powershell cmds to get a the defaultpasswordpolicy and finegrainedpasswordpolicy settings. I noticed 3 fine grained password policy settings had been set which are more secure than the defaultpasswordpolicy.  I know you can return what groups and AD is member of by powershell, but wasnt sure if you can also return a report of which domain policies they are subject to also, which may help for this task.

What I need is a command or way to reports which AD accounts are subject to which password policy, e.g. default domain password policy, or any of the fine grained password policies. The powershell cmd used to get all policy settings, does contain and "applies to" column. Does that mean default domain password policy would apply to every AD user outside of those specifically listed in the applies to column of finegranedpasswordpolicy settings, who would then be subject to the finegrainedpasswordpolicies?

for info - these were the commands used

Get-ADFineGrainedPasswordPolicy -Filter *
Who is Participating?
exactly. If the password policy is defined in the default domain policy, the policy applies to each and every security principal in the scope of the GPO.
To overcome this behaviour you can define fgpp - more info here

Find below the code you can use to examine the recipients of fgpp
Get-ADFineGrainedPasswordPolicy -Filter "*" | ForEach-Object { 
    try {
        get-adgroupmember "$($_.appliesto)" # for recursive search use  -recursive 
    catch {
        write-warning "Appliesto is empty"

Open in new window

Question has been answered.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.