ad password policy fine grained, determining who is subject to which policy

I've ran ad powershell cmds to get a the defaultpasswordpolicy and finegrainedpasswordpolicy settings. I noticed 3 fine grained password policy settings had been set which are more secure than the defaultpasswordpolicy.  I know you can return what groups and AD is member of by powershell, but wasnt sure if you can also return a report of which domain policies they are subject to also, which may help for this task.

What I need is a command or way to reports which AD accounts are subject to which password policy, e.g. default domain password policy, or any of the fine grained password policies. The powershell cmd used to get all policy settings, does contain and "applies to" column. Does that mean default domain password policy would apply to every AD user outside of those specifically listed in the applies to column of finegranedpasswordpolicy settings, who would then be subject to the finegrainedpasswordpolicies?

for info - these were the commands used

Get-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy -Filter *
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MichelangeloConsultantCommented:
Hi,
exactly. If the password policy is defined in the default domain policy, the policy applies to each and every security principal in the scope of the GPO.
To overcome this behaviour you can define fgpp - more info here https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770842(v=ws.10)

Find below the code you can use to examine the recipients of fgpp
Get-ADFineGrainedPasswordPolicy -Filter "*" | ForEach-Object { 
    try {
        get-adgroupmember "$($_.appliesto)" # for recursive search use  -recursive 
        }
    catch {
        write-warning "Appliesto is empty"
    }
}

Open in new window

1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichelangeloConsultantCommented:
Question has been answered.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.