Search This Blog

Monday, November 18, 2019

How to check the Active Directory user password policy When Get-ADUserResultantPasswordPolicy Returns Nothing

How to check the Active Directory user password policy When Get-ADUserResultantPasswordPolicy Returns Nothing
Recently, I have had to troubleshoot a variety of SQL login issues, and often the problem was related to the user's Active Directory account.

I am aware that my organization implements security policies that include, among other things, an Active Directory password policy. Of course, there's also the SQL Server user security policy, which I am quite familiar with.

To better support my users, I decided it would be beneficial to familiarize myself with the current Active Directory password policy. There is a document that outlines this policy, but I want to verify the settings that are actually in effect. After all, documentation can sometimes be outdated.

For this purpose, I am using PowerShell to retrieve the password policy values. Note that you will need to have the ActiveDirectory PowerShell module installed to do this.


# To check if the AD module is installed
Get-Module -Name ActiveDirectory

# Lets now check if a password policy is assigned to a user
Get-ADUserResultantPasswordPolicy -Identity aduser1


In this case, the 'Get-ADUserResultantPasswordPolicy' command returns nothing. This likely indicates that the password policy is not assigned on an individual user basis, known as Fine-Grained Password Policies. If your AD environment doesn't have Fine-Grained Password Policies (FGPP) defined or if they are not applied to the specific user you're querying, the command will return no result. FGPP allows different password policies within the same domain, but if it's not set up, users will just follow the default domain password policy

This approach makes sense for most organizations. Assigning unique password policies to each user can be impractical. Instead, for groups of users who require stricter (e.g., users with administrative rights) or more lenient password policies, it's more efficient to segment them into different domains or organizational units (OUs). These segments can have tailored settings to mitigate any associated risks.

I am now going to verify the default password policy in the domain.


Get-ADDefaultDomainPasswordPolicy

When you run this command, it returns various properties of the default domain password policy, such as:

  • ComplexityEnabled: Indicates whether password complexity requirements are enabled.
  • LockoutDuration: The duration for which an account remains locked after reaching the specified number of failed login attempts.
  • LockoutObservationWindow: The time window in which consecutive failed login attempts are counted towards the lockout threshold.
  • LockoutThreshold: The number of failed login attempts that will trigger an account lockout.
  • MaxPasswordAge: The maximum age of a password before it must be changed.
  • MinPasswordAge: The minimum age of a password before it can be changed.
  • MinPasswordLength: The minimum number of characters required in the password.
  • PasswordHistoryCount: The number of unique new passwords a user must use before an old password can be reused.
For example:

ComplexityEnabled           : True
DistinguishedName           : DC=internal,DC=external,DC=org
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 6
MaxPasswordAge              : 90.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
objectClass                 : {domainDNS}
objectGuid                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PasswordHistoryCount        : 8
ReversibleEncryptionEnabled : False


To get the default policy in a different AD domain than you are currently logged into:

Get-ADDefaultDomainPasswordPolicy -Server MyADDomain 

And, if you are curious what all these values mean, please refer to the following MS document:


https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-addefaultdomainpasswordpolicy