Welcome Forums DSC (Desired State Configuration) xactivedirectory/xAddomaindefaultpasswordpolicy

This topic contains 5 replies, has 3 voices, and was last updated by

2 years, 7 months ago.

  • Author
  • #38058

    Points: 0
    Rank: Member

    I have the following DSC Config i am testing. Everything seems to work except when I view the policy in AD the min password age and max password age are set to 0. If I manually change the policy to 1 for minimum and 60 for maximum and run the DSC config again it says its out of policy and sets them back to 0. All other settings apply as expected. I currently run this on a single domain single DC test lab machine.

    configuration PasswordPolicyConfig
            [parameter(Mandatory = $true)]
        Import-DscResource -Module xActiveDirectory
        Node localhost
            xADDomainDefaultPasswordPolicy 'DefaultPasswordPolicy'
               DomainName = $DomainName
               ComplexityEnabled = $True
               MinPasswordLength = "14"
               LockoutDuration = "60"
               LockoutObservationWindow = "60"
               LockoutThreshold = "3"
               MinPasswordAge = '1'
               MaxPasswordAge = '60'
               PasswordHistoryCount = "24"
               ReversibleEncryptionEnabled = $false
    PasswordPolicyConfig -DomainName 'test2.net'
    Start-DscConfiguration -Path .\PasswordPolicyConfig -Wait -Verbose
  • #38073

    Points: 62
    Team Member
    Rank: Member

    Nowhere to test this answer at the moment, but have you tried putting those two settings in minutes? i.e.
    MinPasswordAge = '1440'
    MaxPasswordAge = '86400'

  • #38074

    Points: 0
    Rank: Member

    Ha, thanks.. guess I assumed those were in days.

  • #38099

    Points: -19
    Rank: Member

    It pays to read manuals before "blowing" stuff up 😉


  • #38101

    Points: 0
    Rank: Member

    Wow Arie you giggle a little when you posted that. Couldn't pass up an opportunity to be a smart ass? It does pay to read just like reading this post most people would look at it and realize its answered and no further comments are needed but not you.

  • #38219

    Points: -19
    Rank: Member

    Okies, point taken. Humor and winking is subjective 😉 (see what I did there ?)
    Props to Missy on her answer.

    Now here's the other side of the mirror.

    You got a fish.
    I gave you a Fishing rod.
    Didn't say fishing was a joyful thing (it is actually), nor that the fish you'll catch will taste good when you eat it..
    But which would get your belly full for longer period ?

    Might not have been the nicest of my replies along the many years, i agree, and for that I'm sorry. Need to work on my 'Improve fishing skills'.

    BUT...Theres always a but.

    You might not see it, but were always but a press of a button away from causing harm to systems. Just last week there was a story about someone who managed to wipe out a good chunk of his network because of one line of code.

    Not saying its a mission critical thing, as Don mentioned in his recent summit video, nothing is unless you work for the a hospital. Yet the bare minimum I would expect from people working in IT and learning to use PowerShell is to read the material so freely available out of their own curiosity first. You are using a module created by someone else and trusting it, id say the minimum would be to read the documentation that someone worked hard to write just to make sure you didn't accidently "blow" stuff up.

    So yes, I sometimes feel sort of 'Responsibility" over people I dont know as I want to make sure they get the proper tools of handling their job, and not be a "Copy-Paste" type of Devs\IT. I always care too much, for better or worse, that's sometimes a good quality and a flaw.

    Hope this clears things, and thank you for your time reading this 😉


The topic ‘xactivedirectory/xAddomaindefaultpasswordpolicy’ is closed to new replies.