Avatar of Tessando
Flag for United States of America

asked on 

Sanity Check: How To Tell What Password Policy is being Used by Active Directory

I would like to know what the current Password Policy for Active Directory is because I have inherited some information that is conflicting.

When I run this Powershell command on a Server connected to the Network:


Open in new window

I get the following Results:

ComplexityEnabled           : True
DistinguishedName           : DC=company,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : d90d-45e9-8f3e
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

Open in new window

Based on this, does it appear that the number of days before a user is required to change their password is 42?

The previous Devs left a Scheduled Task that reminds users to change their password every 76, 83 and 89 days. This uses a. DSGet Powershell command and implies that passwords last longer than 42 days!

Could there be fine-grained passwords in a level above this? Or does the Powershell command "Get-ADDefaultDomainPasswordPolicy" show what is being applied?

Thanks for the Friday Afternoon sanity check.
PowershellActive Directory

Avatar of undefined
Last Comment
Pau Lo

8/22/2022 - Mon