xactivedirectory/xAddomaindefaultpasswordpolicy

Welcome Forums DSC (Desired State Configuration) xactivedirectory/xAddomaindefaultpasswordpolicy

This topic contains 5 replies, has 3 voices, and was last updated by

 
Participant
2 years, 7 months ago.

  • Author
    Posts
  • #38058

    Participant
    Points: 0
    Rank: Member

    I have the following DSC Config i am testing. Everything seems to work except when I view the policy in AD the min password age and max password age are set to 0. If I manually change the policy to 1 for minimum and 60 for maximum and run the DSC config again it says its out of policy and sets them back to 0. All other settings apply as expected. I currently run this on a single domain single DC test lab machine.

    configuration PasswordPolicyConfig
    {
        Param
        (
            [parameter(Mandatory = $true)]
            [System.String]
            $DomainName
           
        )
    
        Import-DscResource -Module xActiveDirectory
    
        Node localhost
        {
            xADDomainDefaultPasswordPolicy 'DefaultPasswordPolicy'
            {
               DomainName = $DomainName
               ComplexityEnabled = $True
               MinPasswordLength = "14"
               LockoutDuration = "60"
               LockoutObservationWindow = "60"
               LockoutThreshold = "3"
               MinPasswordAge = '1'
               MaxPasswordAge = '60'
               PasswordHistoryCount = "24"
               ReversibleEncryptionEnabled = $false
    
            }
        }
    }
    
    PasswordPolicyConfig -DomainName 'test2.net'
    
    Start-DscConfiguration -Path .\PasswordPolicyConfig -Wait -Verbose
    
    
  • #38073

    Participant
    Points: 62
    Team Member
    Rank: Member

    Nowhere to test this answer at the moment, but have you tried putting those two settings in minutes? i.e.
    MinPasswordAge = '1440'
    MaxPasswordAge = '86400'

  • #38074

    Participant
    Points: 0
    Rank: Member

    Ha, thanks.. guess I assumed those were in days.

  • #38099

    Participant
    Points: -19
    Rank: Member

    It pays to read manuals before "blowing" stuff up 😉

    https://github.com/PowerShell/xActiveDirectory

  • #38101

    Participant
    Points: 0
    Rank: Member

    Wow Arie you giggle a little when you posted that. Couldn't pass up an opportunity to be a smart ass? It does pay to read just like reading this post most people would look at it and realize its answered and no further comments are needed but not you.

  • #38219

    Participant
    Points: -19
    Rank: Member

    Okies, point taken. Humor and winking is subjective 😉 (see what I did there ?)
    Props to Missy on her answer.

    Now here's the other side of the mirror.

    You got a fish.
    I gave you a Fishing rod.
    Didn't say fishing was a joyful thing (it is actually), nor that the fish you'll catch will taste good when you eat it..
    But which would get your belly full for longer period ?

    Might not have been the nicest of my replies along the many years, i agree, and for that I'm sorry. Need to work on my 'Improve fishing skills'.

    BUT...Theres always a but.

    You might not see it, but were always but a press of a button away from causing harm to systems. Just last week there was a story about someone who managed to wipe out a good chunk of his network because of one line of code.

    Not saying its a mission critical thing, as Don mentioned in his recent summit video, nothing is unless you work for the a hospital. Yet the bare minimum I would expect from people working in IT and learning to use PowerShell is to read the material so freely available out of their own curiosity first. You are using a module created by someone else and trusting it, id say the minimum would be to read the documentation that someone worked hard to write just to make sure you didn't accidently "blow" stuff up.

    So yes, I sometimes feel sort of 'Responsibility" over people I dont know as I want to make sure they get the proper tools of handling their job, and not be a "Copy-Paste" type of Devs\IT. I always care too much, for better or worse, that's sometimes a good quality and a flaw.

    Hope this clears things, and thank you for your time reading this 😉

    Arie

The topic ‘xactivedirectory/xAddomaindefaultpasswordpolicy’ is closed to new replies.