xactivedirectory/xAddomaindefaultpasswordpolicy

Tagged: 

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Arie H Arie H 5 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #38058
    Profile photo of John Bryant
    John Bryant
    Participant

    I have the following DSC Config i am testing. Everything seems to work except when I view the policy in AD the min password age and max password age are set to 0. If I manually change the policy to 1 for minimum and 60 for maximum and run the DSC config again it says its out of policy and sets them back to 0. All other settings apply as expected. I currently run this on a single domain single DC test lab machine.

    configuration PasswordPolicyConfig
    {
        Param
        (
            [parameter(Mandatory = $true)]
            [System.String]
            $DomainName
           
        )
    
        Import-DscResource -Module xActiveDirectory
    
        Node localhost
        {
            xADDomainDefaultPasswordPolicy 'DefaultPasswordPolicy'
            {
               DomainName = $DomainName
               ComplexityEnabled = $True
               MinPasswordLength = "14"
               LockoutDuration = "60"
               LockoutObservationWindow = "60"
               LockoutThreshold = "3"
               MinPasswordAge = '1'
               MaxPasswordAge = '60'
               PasswordHistoryCount = "24"
               ReversibleEncryptionEnabled = $false
    
            }
        }
    }
    
    PasswordPolicyConfig -DomainName 'test2.net'
    
    Start-DscConfiguration -Path .\PasswordPolicyConfig -Wait -Verbose
    
    
    #38073
    Profile photo of Missy Januszko
    Missy Januszko
    Participant

    Nowhere to test this answer at the moment, but have you tried putting those two settings in minutes? i.e.
    MinPasswordAge = '1440'
    MaxPasswordAge = '86400'

    #38074
    Profile photo of John Bryant
    John Bryant
    Participant

    Ha, thanks.. guess I assumed those were in days.

    #38099
    Profile photo of Arie H
    Arie H
    Participant

    It pays to read manuals before "blowing" stuff up 😉

    https://github.com/PowerShell/xActiveDirectory

    #38101
    Profile photo of John Bryant
    John Bryant
    Participant

    Wow Arie you giggle a little when you posted that. Couldn't pass up an opportunity to be a smart ass? It does pay to read just like reading this post most people would look at it and realize its answered and no further comments are needed but not you.

    #38219
    Profile photo of Arie H
    Arie H
    Participant

    Okies, point taken. Humor and winking is subjective 😉 (see what I did there ?)
    Props to Missy on her answer.

    Now here's the other side of the mirror.

    You got a fish.
    I gave you a Fishing rod.
    Didn't say fishing was a joyful thing (it is actually), nor that the fish you'll catch will taste good when you eat it..
    But which would get your belly full for longer period ?

    Might not have been the nicest of my replies along the many years, i agree, and for that I'm sorry. Need to work on my 'Improve fishing skills'.

    BUT...Theres always a but.

    You might not see it, but were always but a press of a button away from causing harm to systems. Just last week there was a story about someone who managed to wipe out a good chunk of his network because of one line of code.

    Not saying its a mission critical thing, as Don mentioned in his recent summit video, nothing is unless you work for the a hospital. Yet the bare minimum I would expect from people working in IT and learning to use PowerShell is to read the material so freely available out of their own curiosity first. You are using a module created by someone else and trusting it, id say the minimum would be to read the documentation that someone worked hard to write just to make sure you didn't accidently "blow" stuff up.

    So yes, I sometimes feel sort of 'Responsibility" over people I dont know as I want to make sure they get the proper tools of handling their job, and not be a "Copy-Paste" type of Devs\IT. I always care too much, for better or worse, that's sometimes a good quality and a flaw.

    Hope this clears things, and thank you for your time reading this 😉

    Arie

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.