Create a New Fine-Grained Password Policy
Applies To: Windows Server 2008 R2
This topic explains how to use the Active Directory module for Windows PowerShell to create a new fine-grained password policy.
Example 1
The following example demonstrates how to create a new fine-grained password policy for the domain users in the Fabrikam.com domain:
New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy"-DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "60.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false
Example 2
The following example is a sample script that demonstrates how to create a new fine-grained password policy from a template:
$templatePSO = New-Object Microsoft.ActiveDirectory.Management.Commands.ADFineGrainedPasswordPolicy
$templatePSO.ComplexityEnabled = $true
$templatePSO.LockoutDuration = [TimeSpan]::Parse("0.12:00:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutThreshold = 10
$templatePSO.MinPasswordAge = [TimeSpan]::Parse("0.00:10:00")
$templatePSO.PasswordHistoryCount = 24
$templatePSO.ReversibleEncryptionEnabled = $false
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "SvcAccPSO" -Precedence 100 -Description "The Service Accounts Password Policy" -DisplayName "Service Accounts PSO" -MaxPasswordAge "30.00:00:00" -MinPasswordLength 20
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "AdminsPSO" -Precedence 200 -Description "The Domain Administrators Password Policy" -DisplayName "Domain Administrators PSO" -MaxPasswordAge "15.00:00:00" -MinPasswordLength 10
Additional information
You can use the following parameters when you set many of the common values that are associated with the creation of a new fine-grained password policy:
-ComplexityEnabled
-Description
-DisplayName
-LockoutDuration
-LockoutObservationWindow
-LockoutThreshold
-MaxPasswordAge
-MinPasswordAge
-MinPasswordLength
-PasswordHistoryCount
-ReversibleEncryptionEnabled
For a full explanation of the parameters that you can pass to New-ADFineGrainedPasswordPolicy, at the Active Directory module command prompt, type Get-Help New-ADFineGrainedPasswordPolicy –detailed, and then press ENTER.