Information Technology Reference
In-Depth Information
Note that when capturing the Windows PowerShell used for an action in the Active
Directory Administrative Center, a verbose version of the command is captured. You can use the
New-ADFineGrainedPasswordPolicy cmdlet by setting only the items you want to change from
the Default Domain Policy. So, for example, you could create a new “Domain Admins Policy”
with the following command:
New-ADFineGrainedPasswordPolicy `
-Name "Domain Admins Policy" `
-MinPasswordLength 10 `
-Precedence 20 `
-LockoutThreshold 5
If you want to use an existing PSO as a template for a new policy, use
Get-ADFineGrainedPasswordPolicy and pipe it to New-ADFineGrainedPasswordPolicy.
Applying a pSO
After you have a PSO, you can apply it to sets of users as appropriate. For example, I
created a Domain Admins Policy previously, but it doesn't actually apply the policy to
Domain Admins. For that you have to use the Active Directory Administrative Center or
the Add-ADFineGrainedPasswordPolicySubject cmdlet.
To add a group to an existing PSO, follow these steps:
1.
Open the Active Directory Administrative Center and select Domain (Local) in the left
pane.
Navigate to the container or OU where the group resides and then double-click the
container or OU.
2.
Select the group in the details pane and then click Properties in the Tasks pane to open
the page for the group.
3.
Click Password Settings in the left pane, as shown in Figure 5-29, and then click Assign.
4.
Click Assign to open the Select Password Settings Object dialog box and enter the PSO
to assign to the group, or click Advanced to search for the PSO.
5.
6.
Click OK and then click OK again to add the PSO to the group.
To add a policy called “Domain Users Policy” to the global security group “Domain Users”,
use the following command:
Add-ADFineGrainedPasswordPolicySubject `
-Subjects "Domain Users" `
-Identity (Get-ADFineGrainedPasswordPolicy `
-Filter {name -eq "Domain Users Policy" }).DistinguishedName
