Ways to check the password complexity by Powershell.
Summary:
- # Method 1 : Get-ADDefaultDomainPasswordPolicy
- # Method 2 : Get-ADObject
- # Method 3 : net accounts
# Method 1 : Get-ADDefaultDomainPasswordPolicy
We can use the AD powershell cmdet Get-ADDefaultDomainPasswordPolicy to gets the default password policy for an Active Directory domain. Before proceed, import the Active Directory module first by running below command.
1
|
Import -Module ActiveDirectory |
The below command get the default domain password policy from current logged on user domain.
1
|
Get -ADDefaultDomainPasswordPolicy |
This command get the default domain password policy from a given domain.
1
|
Get -ADDefaultDomainPasswordPolicy -Identity contoso.com |
This command returns the following results (ComplexityEnabled, MaxPasswordAge, MinPasswordAge and MinPasswordLength).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
PS C:\> Get -ADDefaultDomainPasswordPolicy ComplexityEnabled          : True DistinguishedName          : DC=testdomain,DC=com LockoutDuration            : 00:30:00 LockoutObservationWindow   : 00:30:00 LockoutThreshold           : 0 MaxPasswordAge             : 42.00:00:00 MinPasswordAge             : 1.00:00:00 MinPasswordLength          : 7 objectClass                : {domainDNS} objectGuid                 : d43f2f55-c381-4fa7-871d-4c990434259c PasswordHistoryCount       : 24 ReversibleEncryptionEnabled : False |
# Method 2 : Get-ADObject
We can also use Get-ADObject to retrieve password policy associated properties from the domain naming context (defaultNamingContext)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$RootDSE = Get -ADRootDSE $PasswordPolicy = Get -ADObject $RootDSE .defaultNamingContext -Property minPwdAge, maxPwdAge,` Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â minPwdLength, pwdHistoryLength, pwdProperties $PasswordPolicy | Select Name, @{n= "Min Password Age" ;e={ "$($_.minPwdAge/-864000000000) days" }},` @{n= "Max Password Age" ;e={ "$($_.maxPwdAge / -864000000000) days" }},` @{n= "Max Password Length" ;e={ "$($_.minPwdLength) characters" }},` @{n= "Pwd History Length" ;e={$_.pwdHistoryLength}},` @{n= "Password Complexity" ;e={Switch ($_.pwdProperties) { Â Â Â Â Â Â Â Â Â 0 { "Passwords can be simple and the administrator account cannot be locked out" } Â Â Â Â Â Â Â Â Â 1 { "Passwords must be complex and the administrator account cannot be locked out" } Â Â Â Â Â Â Â Â Â 8 { "Passwords can be simple, and the administrator account can be locked out" } Â Â Â Â Â Â Â Â Â 9 { "Passwords must be complex, and the administrator account can be locked out" } Â Â Â Â Â Â Â Â Â Default {$_.pwdProperties}}}} |
The above command returns the following results (Min Password Age, Max Password Age, Max Password Length, Pwd History Length and Password Complexity).
1
2
3
4
5
6
|
Name            : contoso Min Password Age   : 1 days Max Password Age   : 42 days Max Password Length : 7 characters Pwd History Length : 24 Password Complexity : Passwords must be complex and the administrator account cannot be locked out |
# Method 3 : net accounts
We can also use the following net command to look at the password policy details.
net accounts
This command returns the following results (minimum password length, maximum password age and minimum password length).
PS C:\> net accounts Force user logoff how long after time expires?: Never Minimum password age (days): 1 Maximum password age (days): 42 Minimum password length: 7 Length of password history maintained: 24 Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: PRIMARY The command completed successfully.