Modify an AD fine-grained password policy.
Syntax
Set-ADFineGrainedPasswordPolicy [-Identity] ADFineGrainedPasswordPolicy
[-Add hashtable] [-Clear string[]] [-ComplexityEnabled bool]
[-Description string] [-DisplayName string] [-LockoutDuration TimeSpan]
[-LockoutObservationWindow TimeSpan] [-LockoutThreshold int]
[-MaxPasswordAge TimeSpan] [-MinPasswordAge TimeSpan]
[-MinPasswordLength int] [-PasswordHistoryCount int]
[-Precedence int] [-ProtectedFromAccidentalDeletion bool]
[-Remove hashtable] [-Replace hashtable]
[-ReversibleEncryptionEnabled bool]
[-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Set-ADFineGrainedPasswordPolicy -Instance ADFineGrainedPasswordPolicy
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-PassThru] [-Server string] [-Confirm] [-WhatIf] [CommonParameters]
Key
-Add hashtable
Specify values to add to an object property.
Use this parameter to add one or more values to a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
Specify multiple values to a property by specifying a comma-separated list of values
and more than one property by separating them using a semicolon.
The format for this parameter is
-Add @{Attribute1LDAPDisplayName=value1, value2, ...;
Attribute2LDAPDisplayName=value1, value2, ...; AttributeNLDAPDisplayName=value1, value2, ...}
For example, to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333
" to Phone-Office-Other attribute (LDAP display name 'otherTelephone'), and add the value "555-222-9999" to Pho
ne-Mobile-Other (LDAP display name 'otherMobile'), set the Add and Remove parameters as follows.
-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='
555-222-2222'}
When you use the -Add, -Remove, -Replace and -Clear parameters together, the operations will be
performed in the order: Remove, then Add, then Replace, then clear.
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Clear string[]
An array of object properties that will be cleared in the directory.
Use this parameter to clear one or more values of a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
Modify more than one property by specifying a comma-separated list.
The format for this parameter is
-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName
For example, to clear the value for the Phone-Office-Other attribute
(LDAP display name 'otherTelephone') set the Clear parameter as follows.
-Clear otherTelephone
-ComplexityEnabled <System.Nullable[bool]>
Whether password complexity is enabled for the password policy.
If enabled, the password must contain two of the following three character types:
Uppercase characters (A, B, C, D, E, ...)
Lowercase characters (a, b, c, d, e, ...)
Numerals (0, 1, 2, 3, ...)
Values: $false or 0, $true or 1
-Credential PSCredential
A user account that has permission to perform this action.
The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
in which case the account associated with the drive is the default.
"User64" or "Domain01\User64" or a PSCredential object.
-Description string
A description of the object.
The LDAP Display Name for this property is "description".
-DisplayName string
The display name of the object.
The LDAP Display Name for this property is "displayName".
-Identity ADFineGrainedPasswordPolicy
Specify an AD fine-grained password policy object by providing one of the following values.
(The identifier in parentheses is the LDAP display name for the attribute.)
Distinguished Name
Example: CN=Strict Password Policy,CN=Password Settings Container,CN=System,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
Security Identifier (objectSid)
Example: S-1-5-21-5165297888-301467370-576410423-1803
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: PasswordPolicyLevel1
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this
parameter to an object instance.
-Instance ADFineGrainedPasswordPolicy
An instance of a fine-grained password policy object to use to update the actual AD
fine-grained password policy object.
When this parameter is used, any modifications made to the modified copy
of the object are also made to the corresponding Active Directory object.
The cmdlet only updates the object properties that have changed.
The Instance parameter can only update fine-grained password policy objects that have
been retrieved by using Get-ADFineGrainedPasswordPolicy.
When you specify the Instance parameter, you cannot specify other parameters that
set properties on the object.
The following is an example of how to use Get-ADFineGrainedPasswordPolicy to
retrieve, modify and save an instance of the ADFineGrainedPasswordPolicy object.
Step 1: Retrieve a local instance of the object.
$fgPwPolicyInstance = Get-ADFineGrainedPasswordPolicy -Identity PasswordPolicyLevel2
Step 2: Modify one or more properties of the object instance.
$fgPwPolicyInstance.Precedence = 250
Step3: Save the changes
Set-ADFineGrainedPasswordPolicy -Instance $fgPwPolicyInstance
-LockoutDuration TimeSpan
The length of time that an account is locked after the number of failed login attempts
exceeds the lockout threshold. You cannot login to an account that is locked until the
lockout duration time period has expired.
The LDAP display name for lockoutDuration is "msDS-LockoutDuration".
The lockout duration must be greater than or equal to the lockout observation time
for a password policy. Use the LockOutObservationWindow parameter to set the lockout observation time.
Time interval format:
[-]D.H:M:S.F
where:
D = Days (0 to 10675199)
H = Hours (0 to 23)
M = Minutes (0 to 59)
S = Seconds (0 to 59)
F= Fractions of a second (0 to 9999999)
Examples:
Set the time to 2 days
-LockoutDuration "2"
Set the time to 4 hours
-LockoutDuration "4:00"
Set the time to 5 minutes
-LockoutDuration "0:5"
Set the time to 45 seconds
LockoutDuration "0:0:45"
-LockoutObservationWindow TimeSpan
The maximum time interval between two unsuccessful login attempts before the number
of unsuccessful login attempts is reset to 0.
An account is locked when the number of unsuccessful login attempts exceeds the password
policy lockout threshold.
The LDAP Display Name of this property is "msDS-lockoutObservationWindow".
The lockout observation window must be smaller than or equal to the lockout duration for a
password policy. Use the LockoutDuration parameter to set the lockout duration time.
Time interval format:
[-]D.H:M:S.F
where:
D = Days (0 to 10675199)
H = Hours (0 to 23)
M = Minutes (0 to 59)
S = Seconds (0 to 59)
F= Fractions of a second (0 to 9999999)
Note: Time values must be between the following values: 0:0:0:0.0 and 10675199:02:48:05.4775807.
Examples:
Set the time to 2 days
-LockoutObservationWindow "2"
Set the time to 4 hours
-LockoutObservationWindow "4:00"
Set the time to 5 minutes
-LockoutObservationWindow "0:5"
Set the time to 45 seconds
-LockoutObservationWindow "0:0:45"
-LockoutThreshold int
The number of unsuccessful login attempts that are permitted before an
account is locked out. This number increases when the time between
unsuccessful login attempts is less than the time specified for the
lockout observation time window.
-MaxPasswordAge TimeSpan
The maximum length of time that you can have the same password.
After this time period, the password expires and you must create a new one.
The LDAP Display Name for this property is "maxPwdAge".
Time interval format:
[-]D.H:M:S.F
where:
[-] = Specifies a negative time interval
D = Days (0 to 10675199)
H = Hours (0 to 23)
M = Minutes (0 to 59)
S = Seconds (0 to 59)
F= Fractions of a second (0 to 9999999)
Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807
Examples:
Set the time span to 2 days
MaxPasswordAge "2"
Set the time span to the previous 2 days
MaxPasswordAge "-2"
Set the time span to 4 hours
MaxPasswordAge "4:00"
Set the time span to 5 minutes
MaxPasswordAge "0:5"
Set the time span to 45 seconds
MaxPasswordAge "0:0:45"
-MinPasswordAge TimeSpan
The minimum length of time before you can change a password.
The LDAP Display Name for this property is "minPwdAge".
Time interval format:
[-]D.H:M:S.F
where:
[-] = Specifies a negative time interval
D = Days (0 to 10675199)
H = Hours (0 to 23)
M = Minutes (0 to 59)
S = Seconds (0 to 59)
F= Fractions of a second (0 to 9999999)
Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.
Examples
Set the time span to 2 days
-MinPasswordAge "2"
Set the time span to 4 hours
-MinPasswordAge "4:00"
Set the time span to 5 minutes
-MinPasswordAge "0:5"
Set the time span to 45 seconds
-MinPasswordAge "0:0:45"
-MinPasswordLength int
The minimum number of characters that a password must contain.
-PassThru
Returns the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not
generate any output.
-PasswordHistoryCount int
The number of previous passwords to save.
A user cannot reuse a password in the list of saved passwords.
This parameter sets the PasswordHistoryCount property for a password policy.
-Precedence int
A value that defines the precedence of a fine-grained password policy among
all fine-grained password policies.
The LDAP display name for this property is "msDS-PasswordSettingsPrecedence".
This value determines which password policy to use when more than one password policy
applies to a user or group. When there is a conflict, the password policy that has
the lower Precedence property value has higher priority.
Typically, password policy precedence values are assigned in multiples of 10 or 100,
making it easier to add policies at a later time.
If the specified Precedence parameter is already assigned to another password policy object,
the cmdlet returns a terminating error.
-ProtectedFromAccidentalDeletion bool
Whether to prevent the object from being deleted.
When this property is set to true, you cannot delete the corresponding object without
first changing the value of this property.
Possible values: $false or 0, $true or 1
-Remove hashtable
Remove values of an object property.
Use this parameter to remove one or more values of a property that cannot be modified
using a cmdlet parameter. To remove an object property, you must use the LDAP display name.
You can remove more than one property by specifying a semicolon-separated list.
The format for this parameter is
-Remove @{Attribute1LDAPDisplayName=value[]; Attribute2LDAPDisplayName=value[]}
For example, to add the values blue and green and remove the value pink from a property with a LDAP
display name of FavColors, set the Add and Remove parameters as follows.
-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink}
-Replace hashtable
Specify values for an object property that will replace the current values.
Use this parameter to replace one or more values of a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP display name.
You can modify more than one property by specifying a comma-separated list.
The format for this parameter is
-Replace @{Attribute1LDAPDisplayName=value[], Attribute2LDAPDisplayName=value[]}
-ReversibleEncryptionEnabled bool
Whether the directory must store passwords using reversible encryption.
Possible values: $false or 0, $true or 1
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.
Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
CommonParameters:
-Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
-OutBuffer -OutVariable.
Set-ADFineGrainedPasswordPolicy modifies the properties of an AD fine grained password policy. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the -Add, -Replace, -Clear and -Remove parameters.
The -Identity parameter specifies the AD fine grained password policy to modify. Identify a fine grained password policy by its distinguished name (DN), GUID or name. Alternatively set the -Identity parameter to an object variable or through the pipeline. For example, with Get-adFineGrainedPasswordPolicy
The -Instance parameter provides a way to update a fine grained password policy object by applying the changes made
to a copy of the object. When a copy of an AD fine grained password
policy object has been modified, Set-ADFineGrainedPasswordPolicy may be used to save the changes back to the original object. To get a copy of the object to modify, use Get-adFineGrainedPasswordPolicy.
The -Identity parameter is not allowed when you use the -Instance parameter. For more information see help about_ActiveDirectory_Instance
Examples
Set the MinPasswordLength property on the FineGrainedPasswordPolicy object with DistinguishedName CN=MyPolicy,CN=Password Settings Container,CN=System,DC=ss64,DC=com.:
PS C:\> Set-ADFineGrainedPasswordPolicy 'CN=MyPolicy,CN=Password Settings Container,CN=System,DC=ss64,DC=com' -MinPasswordLength 12
Update multiple properties on the FineGrainedPasswordPolicy object with name 'MyPolicy':
PS C:\> Set-ADFineGrainedPasswordPolicy MyPolicy -Precedence 100 -LockoutDuration 00:40:00 -LockoutObservationWindow 00:20:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 12
Modify the Precedence property for the Level3Policy fine grained password policy by using the PowerShell command line to modify a local instance of the Level3Policyfine grained password policy. Then set the Instance parameter to the local instance.
PS C:\> $FGPwPolicy = Get-ADFineGrainedPasswordPolicy Level3Policy
PS C:\> $FGPwPolicy.Precedence = 150
PS C:\> Set-ADFineGrainedPasswordPolicy -Instance $FGPwPolicy
“I changed all my passwords to 'incorrect'. So my computer just tells me when I forget” ~ Unknown
Related PowerShell Cmdlets:
Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.
New-adFineGrainedPasswordPolicy - Create a new AD fine-grained policy.
Remove-adFineGrainedPasswordPolicy - Remove an AD fine-grained password policy.