Domain Password Policy


You can get domain password policy of your domain by looking at some specifics attributes at the domain object level.

To query the domain object, you need to get its DistinguishedName. This is the DefaultNamingContext of the root DSE.

Current Domain DistinguishedName

To get the current domain DistinguishedName, you can use the Get-ADRootDSE cmdlet :

Get Domain Password Policy with PowerShell - Get-ADRootDSE


And look at the “DefaultNamingContext”, this is what we need to go to the next step.

Domain Password Policy

Once you got the DistinguishedName of the current default naming context, you can query for specifics attributes :

Get-ADObject (Get-ADRootDSE).defaultnamingcontext -Properties lockoutDuration,lockOutObservationWindow,lockoutThreshold,maxPwdAge,minPwdAge,pwdHistoryLength,pwdProperties | % {
        DomainName               = $_.Name
        lockoutDuration          = -[TimeSpan]$_.lockoutDuration
        lockOutObservationWindow = -[TimeSpan]$_.lockOutObservationWindow
        lockoutThreshold         = $_.lockoutThreshold
        maxPwdAge                = -[TimeSpan]$_.maxPwdAge
        minPwdAge                = -[TimeSpan]$_.minPwdAge
        pwdHistoryLength         = $_.pwdHistoryLength
        pwdProperties            = $_.pwdProperties
Get Domain Password Policy with PowerShell

Get Domain Password Policy with PowerShell

This will show you the default domain password policy.

Note : You can do the same for a remote domain, you just need to target it with Get-ADRootDSE, this will return you the DistinguishedName of the remote domain, you can then use it in the Get-ADObject to read the domain password policy from that remote domain.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.