How to set Fine-grained Password policies with Powershell

So yes, it’s possible to do with the Administration center, but why would you really want to do that – when you can understand how it works with Powershell?

Essentially, you’re creating scoped password policy-objects. So you’ll need to figure out what policies you want to apply to each group. I advise that you set all properties of the object – if nothing else because you should think about each setting.

First we create a password policy object:

New-ADFineGrainedPasswordPolicy -ComplexityEnabled $true -Description "(For you own reference)" -DisplayName "(You probably won't see this anywhere)" -LockoutDuration "0.00:15:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 6 -MinPasswordLength 30 -Precedence 50 -ProtectedFromAccidentalDeletion $true -Name "PPO_30" -MinPasswordAge "1.00:00:00 " -PasswordHistoryCount 24 -MaxPasswordAge "10675199:00:00:00"

A few notes on this:
– Microsoft recommendation is 15 minutes lockout duration and lockout observation, but do whatever you find sensible
– All time formats MUST be in the format of D:HH:MM:SS – take if from someone who put as max password age as 130 and ended up with 130 microseconds.
– MaxPasswordAge does not allow for a ‘never expire’ type setting, as that is a property of the user object. “10675199:00:00:00” is the maximum allowed number, and it’s essentially forever.

The rest is kind of self explanatory. In general, Microsoft recommendations are long passwords, with long expiration date. Users can’t be expected to figure out fancy passwords every 90 days, so they’ll end up incrementing the one they have – and there’s no security in that.

With the done – you need to apply it to security group:

Add-ADFineGrainedPasswordPolicySubject -Identity PPO_30 -Subjects (Security group)

Subjects can be one or many commaseparated groups or users; but obviously I wouldn’t recommend using individual users. That would be a nightmare to manage.

All done. This applies immediately, but keep in mind that new rules won’t apply until the current password expires. So if you want to enforce something, you’d need to set users to change password on next logon.

Make sure to turn off your phone.

Leave a Reply

Your email address will not be published. Required fields are marked *