I will make more articles on how to do these things using the GUI in the future; however, I love using the command line. As I said, it helps a ton, especially if you are a newer admin just getting your feet wet.
The reference documentation is here from Microsoft
In this post, we will look at setting your Active Directory password policy using PowerShell to make the task easy and give you opportunities to script things for future changes and deployments.
Whether or not you read the reference docs, you should take note of the flag -WhatIf
this little flag can save your tail on several occasions. So if you are unsure about your action before you do it, please use that flag. You may also want to consider the headache you might cause yourself with IT complaints and commotion if you do not adequately alert people to policy changes that affect daily computer use.
We can get away with not alerting about the password never expires action because it is best practice according to Microsoft, and people will find that type of change positive. However, setting complex passwords tends to get people up in arms, so consider the ramifications of what you do and the power you wield.
Set Password Complexity Requirements in AD Using CMD
This is using the command line, of course. Still, technically, we are using PowerShell to set the password policy for an Active Directory domain with a minimum password length of 12, a requirement for at least 1 special character, 1 capital letter, 1 lowercase letter, and 1 number, and no expiration, you can use the following command:
Set-ADDefaultDomainPasswordPolicy -Identity <domain> -MinPasswordLength 12 -ComplexityEnabled $True -MaxPasswordAge 0
Replace <domain> with the distinguished name, GUID, SID, DNS domain name, or NetBIOS name of the domain whose password policy you want to modify.
This works because the flag -ComplexityEnabled $True
has built-in requirements for uppercase letters, lowercase letters, numbers, and special characters or as the “non-alphanumeric characters.” We also set the age never to expire and the minimum character length of the passwords to 12 characters.
Note: The
MaxPasswordAge
parameter sets the maximum password age in days. Setting it to 0 will cause the password to never expire.
Other Password Options
You can also use the following parameters to customize the password policy further:
MinPasswordAge
: Sets the minimum password age in days. This determines how long a user must wait before changing their password again after changing it.LockoutDuration
: Sets the duration a user account is locked out after the specified number of failed login attempts.LockoutObservationWindow
: Sets the duration during which failed login attempts are counted towards the lockout threshold.LockoutThreshold
: Sets the number of failed login attempts that trigger a lockout.PasswordHistoryCount
: Sets the number of previous passwords that are remembered and cannot be used again.
Set-ADDefaultDomainPasswordPolicy -Identity <domain> -MinPasswordLength 12 -ComplexityEnabled $True -MaxPasswordAge 0 -MinPasswordAge 1 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:15:00 -LockoutThreshold 5 -PasswordHistoryCount 5
This will set the password policy to require a minimum password length of 12, with at least 1 special character, 1 capital letter, 1 lowercase letter, and 1 number. It will also set the minimum password age to 1 day, the lockout duration to 30 minutes, the lockout observation window to 15 minutes, the lockout threshold to 5 failed login attempts, and the password history count to 5. The password will never expire.
Change A User’s Password From Command Line
To change the password for a specific user in an Active Directory using the command line or, again, technically, PowerShell, you can use the Set-ADAccountPassword
cmdlet with the Identity parameter to specify the user and the NewPassword parameter to set the new password.
To change the password for a user with the username “John.Doe” to “P@ssw0rd”, you can use the following command:
Set-ADAccountPassword -Identity "John.Doe" -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
This command will change the password for the user “John.Doe” to “P@ssw0rd”. The ConvertTo-SecureString
cmdlet converts the plain text password to a secure string, which the NewPassword parameter requires. The -Force parameter is used to suppress the confirmation prompt.
You can also use the -Credential
parameter to specify the credentials of a user with permission to change the password and the -Server parameter to specify the name of the domain controller to use. For example:
Set-ADAccountPassword -Identity "John.Doe" -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) -Credential (Get-Credential) -Server "dc01.techsico.com"
This command will prompt you for a user’s credentials with permission to change the password and will change the password for the user “John.Doe” on the domain controller “dc01.techsico.com”.
Unlock User Account That is Locked
To change the password for a user who has forgotten their password and been locked out, you can use the Unlock-ADAccount
cmdlet to unlock the user account before changing the password.
As a reminder, we can do all this from the GUI, and I will post links to that article once completed.
Unlock-ADAccount -Identity "John.Doe" Set-ADAccountPassword -Identity "John.Doe" -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
This will unlock the user account “John.Doe” and change the password to “P@ssw0rd”.
I like using the command line as sometimes it allows for scripting opportunities, and no matter how things are running, commands always seem to get the job done a little faster. Knowing the PowerShell cmdlets and regular command line tools is essential to getting the job done efficiently.