xactivedirectory/xAddomaindefaultpasswordpolicy

This topic contains 5 replies, has 3 voices, and was last updated by  Arie H 1 year, 6 months ago.

  • Author
    Posts
  • #38058

    John Bryant
    Participant

    I have the following DSC Config i am testing. Everything seems to work except when I view the policy in AD the min password age and max password age are set to 0. If I manually change the policy to 1 for minimum and 60 for maximum and run the DSC config again it says its out of policy and sets them back to 0. All other settings apply as expected. I currently run this on a single domain single DC test lab machine.

    configuration PasswordPolicyConfig
    {
        Param
        (
            [parameter(Mandatory = $true)]
            [System.String]
            $DomainName
           
        )
    
        Import-DscResource -Module xActiveDirectory
    
        Node localhost
        {
            xADDomainDefaultPasswordPolicy 'DefaultPasswordPolicy'
            {
               DomainName = $DomainName
               ComplexityEnabled = $True
               MinPasswordLength = "14"
               LockoutDuration = "60"
               LockoutObservationWindow = "60"
               LockoutThreshold = "3"
               MinPasswordAge = '1'
               MaxPasswordAge = '60'
               PasswordHistoryCount = "24"
               ReversibleEncryptionEnabled = $false
    
            }
        }
    }
    
    PasswordPolicyConfig -DomainName 'test2.net'
    
    Start-DscConfiguration -Path .\PasswordPolicyConfig -Wait -Verbose
    
    
  • #38073

    Missy Januszko
    Participant

    Nowhere to test this answer at the moment, but have you tried putting those two settings in minutes? i.e.
    MinPasswordAge = '1440'
    MaxPasswordAge = '86400'

  • #38074

    John Bryant
    Participant

    Ha, thanks.. guess I assumed those were in days.

  • #38099

    Arie H
    Participant

    It pays to read manuals before "blowing" stuff up 😉

    https://github.com/PowerShell/xActiveDirectory

  • #38101

    John Bryant
    Participant

    Wow Arie you giggle a little when you posted that. Couldn't pass up an opportunity to be a smart ass? It does pay to read just like reading this post most people would look at it and realize its answered and no further comments are needed but not you.

  • #38219

    Arie H
    Participant

    Okies, point taken. Humor and winking is subjective 😉 (see what I did there ?)
    Props to Missy on her answer.

    Now here's the other side of the mirror.

    You got a fish.
    I gave you a Fishing rod.
    Didn't say fishing was a joyful thing (it is actually), nor that the fish you'll catch will taste good when you eat it..
    But which would get your belly full for longer period ?

    Might not have been the nicest of my replies along the many years, i agree, and for that I'm sorry. Need to work on my 'Improve fishing skills'.

    BUT...Theres always a but.

    You might not see it, but were always but a press of a button away from causing harm to systems. Just last week there was a story about someone who managed to wipe out a good chunk of his network because of one line of code.

    Not saying its a mission critical thing, as Don mentioned in his recent summit video, nothing is unless you work for the a hospital. Yet the bare minimum I would expect from people working in IT and learning to use PowerShell is to read the material so freely available out of their own curiosity first. You are using a module created by someone else and trusting it, id say the minimum would be to read the documentation that someone worked hard to write just to make sure you didn't accidently "blow" stuff up.

    So yes, I sometimes feel sort of 'Responsibility" over people I dont know as I want to make sure they get the proper tools of handling their job, and not be a "Copy-Paste" type of Devs\IT. I always care too much, for better or worse, that's sometimes a good quality and a flaw.

    Hope this clears things, and thank you for your time reading this 😉

    Arie

You must be logged in to reply to this topic.