Sanity Check: How To Tell What Password Policy is being Used by Active Directory
I would like to know what the current Password Policy for Active Directory is because I have inherited some information that is conflicting.
When I run this Powershell command on a Server connected to the Network:
The previous Devs left a Scheduled Task that reminds users to change their password every 76, 83 and 89 days. This uses a. DSGet Powershell command and implies that passwords last longer than 42 days!
Could there be fine-grained passwords in a level above this? Or does the Powershell command "Get-ADDefaultDomainPasswordPolicy" show what is being applied?
Thanks for the Friday Afternoon sanity check.
When I run this Powershell command on a Server connected to the Network:
Get-ADDefaultDomainPasswordPolicyComplexityEnabled : True
DistinguishedName : DC=company,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : d90d-45e9-8f3e
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : FalseThe previous Devs left a Scheduled Task that reminds users to change their password every 76, 83 and 89 days. This uses a. DSGet Powershell command and implies that passwords last longer than 42 days!
Could there be fine-grained passwords in a level above this? Or does the Powershell command "Get-ADDefaultDomainPasswordPolicy" show what is being applied?
Thanks for the Friday Afternoon sanity check.
Peter Hutchison
Try the Get-ADUserResultantPasswordPolicy cmdlet to find out which password policy applies to a user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The previous Devs left a Scheduled Task that reminds users to change their password every 76, 83 and 89 days. This uses a. DSGet Powershell command and implies that passwords last longer than 42 days!
Was that being reminder sent to all users? I wonder if they had to exempt certain accounts with the passwordneverexpires option to TRUE and it was a reminder for those sorts of accounts? 42 days seems quite an odd value unless you are subject to some security regulations that have a specific requirement for that figure. It could also be some sort of default setting perhaps.