Author Posts

April 20, 2016 at 7:37 am

I have the following DSC Config i am testing. Everything seems to work except when I view the policy in AD the min password age and max password age are set to 0. If I manually change the policy to 1 for minimum and 60 for maximum and run the DSC config again it says its out of policy and sets them back to 0. All other settings apply as expected. I currently run this on a single domain single DC test lab machine.

configuration PasswordPolicyConfig
{
    Param
    (
        [parameter(Mandatory = $true)]
        [System.String]
        $DomainName
       
    )

    Import-DscResource -Module xActiveDirectory

    Node localhost
    {
        xADDomainDefaultPasswordPolicy 'DefaultPasswordPolicy'
        {
           DomainName = $DomainName
           ComplexityEnabled = $True
           MinPasswordLength = "14"
           LockoutDuration = "60"
           LockoutObservationWindow = "60"
           LockoutThreshold = "3"
           MinPasswordAge = '1'
           MaxPasswordAge = '60'
           PasswordHistoryCount = "24"
           ReversibleEncryptionEnabled = $false

        }
    }
}

PasswordPolicyConfig -DomainName 'test2.net'

Start-DscConfiguration -Path .\PasswordPolicyConfig -Wait -Verbose

April 20, 2016 at 10:16 am

Nowhere to test this answer at the moment, but have you tried putting those two settings in minutes? i.e.
MinPasswordAge = '1440'
MaxPasswordAge = '86400'

April 20, 2016 at 10:25 am

Ha, thanks.. guess I assumed those were in days.

April 21, 2016 at 2:41 am

It pays to read manuals before "blowing" stuff up 😉

https://github.com/PowerShell/xActiveDirectory

April 21, 2016 at 3:38 am

Wow Arie you giggle a little when you posted that. Couldn't pass up an opportunity to be a smart ass? It does pay to read just like reading this post most people would look at it and realize its answered and no further comments are needed but not you.

April 25, 2016 at 10:14 am

Okies, point taken. Humor and winking is subjective 😉 (see what I did there ?)
Props to Missy on her answer.

Now here's the other side of the mirror.

You got a fish.
I gave you a Fishing rod.
Didn't say fishing was a joyful thing (it is actually), nor that the fish you'll catch will taste good when you eat it..
But which would get your belly full for longer period ?

Might not have been the nicest of my replies along the many years, i agree, and for that I'm sorry. Need to work on my 'Improve fishing skills'.

BUT...Theres always a but.

You might not see it, but were always but a press of a button away from causing harm to systems. Just last week there was a story about someone who managed to wipe out a good chunk of his network because of one line of code.

Not saying its a mission critical thing, as Don mentioned in his recent summit video, nothing is unless you work for the a hospital. Yet the bare minimum I would expect from people working in IT and learning to use PowerShell is to read the material so freely available out of their own curiosity first. You are using a module created by someone else and trusting it, id say the minimum would be to read the documentation that someone worked hard to write just to make sure you didn't accidently "blow" stuff up.

So yes, I sometimes feel sort of 'Responsibility" over people I dont know as I want to make sure they get the proper tools of handling their job, and not be a "Copy-Paste" type of Devs\IT. I always care too much, for better or worse, that's sometimes a good quality and a flaw.

Hope this clears things, and thank you for your time reading this 😉

Arie