Recently, I have had to troubleshoot a variety of SQL login issues, and often the problem was related to the user's Active Directory account.
I am aware that my organization implements security policies that include, among other things, an Active Directory password policy. Of course, there's also the SQL Server user security policy, which I am quite familiar with.
To better support my users, I decided it would be beneficial to familiarize myself with the current Active Directory password policy. There is a document that outlines this policy, but I want to verify the settings that are actually in effect. After all, documentation can sometimes be outdated.
For this purpose, I am using PowerShell to retrieve the password policy values. Note that you will need to have the ActiveDirectory PowerShell module installed to do this.
# To check if the AD module is installedGet-Module -Name ActiveDirectory
# Lets now check if a password policy is assigned to a user
Get-ADUserResultantPasswordPolicy -Identity aduser1
In this case, the 'Get-ADUserResultantPasswordPolicy' command returns nothing—there is no output at all. However, if the username is invalid or there is another issue, such as insufficient permissions, the command will display an error message.
This likely indicates that a password policy is not assigned on an individual user basis through Fine-Grained Password Policies (FGPP). FGPP allows different password policies within the same domain, but if it is not configured, users will simply follow the default domain password policy.
This approach is practical for most organizations. Assigning unique password policies to each user is typically impractical and difficult to manage. Most organizations will have a single password policy for all users. For groups of users who require stricter (for example, administrative accounts) or more lenient password policies, it is more efficient to segment them into different groups or global security groups and apply FGPP as needed. These segments can have tailored settings to mitigate associated risks.
In this scenario, where Get-ADUserResultantPasswordPolicy returns empty or no results, the default password policy of the Active Directory domain is enforced. I will now verify the default password policy in my current domain.
Get-ADDefaultDomainPasswordPolicy
When you run this command, it returns various properties of the default domain password policy, such as:
- ComplexityEnabled: Indicates whether password complexity requirements are enabled.
- LockoutDuration: The duration for which an account remains locked after reaching the specified number of failed login attempts.
- LockoutObservationWindow: The time window in which consecutive failed login attempts are counted towards the lockout threshold.
- LockoutThreshold: The number of failed login attempts that will trigger an account lockout.
- MaxPasswordAge: The maximum age of a password before it must be changed.
- MinPasswordAge: The minimum age of a password before it can be changed.
- MinPasswordLength: The minimum number of characters required in the password.
- PasswordHistoryCount: The number of unique new passwords a user must use before an old password can be reused.
For example:
ComplexityEnabled : True
DistinguishedName : DC=internal,DC=external,DC=org
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 6
MaxPasswordAge : 90.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
objectClass : {domainDNS}
objectGuid : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PasswordHistoryCount : 8
ReversibleEncryptionEnabled : False
To get the default policy in a different AD domain than you are currently logged into:
And, if you are curious what all these values mean, please refer to the following MS document:
https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-addefaultdomainpasswordpolicy
Get-ADDefaultDomainPasswordPolicy -Server RemoteADDomain
And, if you are curious what all these values mean, please refer to the following MS document:
https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-addefaultdomainpasswordpolicy
Get-ADUserResultantPasswordPolicy