-
Notifications
You must be signed in to change notification settings - Fork 144
ADFineGrainedPasswordPolicy
dscbot edited this page Mar 15, 2025
·
3 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Specifies an Active Directory fine-grained password policy object name. | |
| Precedence | Required | UInt32 | Specifies a value that defines the precedence of a fine-grained password policy among all fine-grained password policies. | |
| ComplexityEnabled | Write | Boolean | Specifies whether password complexity is enabled for the password policy. | |
| Credential | Write | PSCredential | Specifies the user account credentials to use to perform this task. | |
| Description | Write | String | Specifies the description of the object. | |
| DisplayName | Write | String | Specifies the display name of the object. | |
| DomainController | Write | String | Specifies the Active Directory Domain Services instance to connect to. | |
| Ensure | Write | String | Specifies whether the fine-grained password policy should be present or absent. Default value is 'Present'. |
Present, Absent
|
| LockoutDuration | Write | String | Specifies the length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold. The lockout duration must be greater than or equal to the lockout observation time for a password policy. The value must be a string representation of a TimeSpan value. | |
| LockoutObservationWindow | Write | String | Specifies the maximum time interval between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0. The lockout observation window must be smaller than or equal to the lockout duration for a password policy. The value must be a string representation of a TimeSpan value. | |
| LockoutThreshold | Write | UInt32 | Specifies the number of unsuccessful login attempts that are permitted before an account is locked out. | |
| MaxPasswordAge | Write | String | Specifies the maximum length of time that you can have the same password. The value must be a string representation of a TimeSpan value. | |
| MinPasswordAge | Write | String | Specifies the minimum length of time before you can change a password. The value must be a string representation of a TimeSpan value. | |
| MinPasswordLength | Write | UInt32 | Specifies the minimum number of characters that a password must contain. | |
| PasswordHistoryCount | Write | UInt32 | Specifies the number of previous passwords to save. | |
| ProtectedFromAccidentalDeletion | Write | Boolean | Specifies whether to prevent the object from being deleted. | |
| ReversibleEncryptionEnabled | Write | Boolean | Specifies whether the directory must store passwords using reversible encryption. | |
| Subjects | Write | StringArray[] | Specifies the ADPrincipal names the policy is to be applied to, overwrites all existing. |
The ADFineGrainedPasswordPolicy DSC resource will manage an Active Directory domain's fine grained password policies.
- Target machine must be running Windows Server 2012 or later.
This configuration will create an Active Directory domain fine-grained password policy with default settings.
Configuration ADFineGrainedPasswordPolicy_ConfigurePolicyWithDefaults_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADFineGrainedPasswordPolicy 'FineGrainedPasswordPolicy'
{
Name = 'DomainUsers'
Precedence = 10
}
}
}This configuration will create an Active Directory domain fine-grained password policy with specific settings.
Configuration ADFineGrainedPasswordPolicy_ConfigurePolicyWithSpecifics_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADFineGrainedPasswordPolicy 'FineGrainedPasswordPolicy'
{
Name = 'DomainAdmins'
DisplayName = 'Domain Admins Password Policy'
Description = 'This is the Fine Grained Password Policy for Domain Admins'
Subjects = 'Domain Admins'
ComplexityEnabled = $true
LockoutDuration = '00:30:00'
LockoutObservationWindow = '00:30:00'
LockoutThreshold = 5
MaxPasswordAge = '42.00:00:00'
MinPasswordAge = '1.00:00:00'
MinPasswordLength = 15
PasswordHistoryCount = 24
ReversibleEncryptionEnabled = $false
ProtectedFromAccidentalDeletion = $true
Precedence = 10
}
}
}This configuration will remove an Active Directory domain fine-grained password policy.
Configuration ADFineGrainedPasswordPolicy_RemovePolicy_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADFineGrainedPasswordPolicy 'FineGrainedPasswordPolicy'
{
Name = 'DomainUsers'
Precedence = 10
Ensure = 'Absent'
}
}
}- ADComputer
- ADDomain
- ADDomainController
- ADDomainControllerProperties
- ADDomainDefaultPasswordPolicy
- ADDomainFunctionalLevel
- ADDomainTrust
- ADFineGrainedPasswordPolicy
- ADForestFunctionalLevel
- ADForestProperties
- ADGroup
- ADKDSKey
- ADManagedServiceAccount
- ADObjectEnabledState
- ADObjectPermissionEntry
- ADOptionalFeature
- ADOrganizationalUnit
- ADReadOnlyDomainControllerAccount
- ADReplicationSite
- ADReplicationSiteLink
- ADReplicationSubnet
- ADServicePrincipalName
- ADUser
- Home
- WaitForADDomain