This is a function that queries the domain for the password policies that are set via Group Policy. Output objects include Min Password Length, Min Password Age, Max Password Age, number of passwords remembered (for password history restrictions), Lockout Threshold, Lockout Duration, and the Lockout Counter Reset time.

  1. function Get-DomainPasswordPolicy  
  3. {
  4.         $domain = [ADSI]"WinNT://$env:userdomain"
  5.         $Name = @{Name="DomainName";Expression={$_.Name}}
  6.         $MinPassLen = @{Name="Minimum Password Length (Chars)";Expression={$_.MinPasswordLength}}
  7.         $MinPassAge = @{Name="Minimum Password Age (Days)";Expression={$_.MinPasswordAge.value/86400}}
  8.         $MaxPassAge = @{Name="Maximum Password Age (Days)";Expression={$_.MaxPasswordAge.value/86400}}
  9.         $PassHistory = @{Name="Enforce Password History (Passwords remembered)";Expression={$_.PasswordHistoryLength}}
  10.         $AcctLockoutThreshold = @{Name="Account Lockout Threshold (Invalid logon attempts)";Expression={$_.MaxBadPasswordsAllowed}}
  11.         $AcctLockoutDuration =  @{Name="Account Lockout Duration (Minutes)";Expression={if ($_.AutoUnlockInterval.value -eq -1) {'Account is locked out until administrator unlocks it.'} else {$_.AutoUnlockInterval.value/60}}}
  12.         $ResetAcctLockoutCounter = @{Name="Reset Account Lockout Counter After (Minutes)";Expression={$_.LockoutObservationInterval.value/60}}
  13.         $domain | Select-Object $Name,$MinPassLen,$MinPassAge,$MaxPassAge,$PassHistory,$AcctLockoutThreshold,$AcctLockoutDuration,$ResetAcctLockoutCounter
  14. }

