In this article, I am going to explain about how to find and read the settings of account lockout policy in current Active Directory domain by using Powershell.
Summary:
# Method 1 : Get-ADDefaultDomainPasswordPolicy
We can use the Active Directory powershell cmdet Get-ADDefaultDomainPasswordPolicy to gets the account lockout policy settings for an Active Directory domain. Before proceed, run the below command to import the Active Directory module.Import-Module ActiveDirectoryThe below command get the default account lockout policy from current logged on user domain.
Get-ADDefaultDomainPasswordPolicy | Select LockoutDuration,LockoutObservationWindow,` LockoutThreshold | FLThis command returns the following results (LockoutDuration,LockoutObservationWindow and LockoutThreshold).
PS C:\> Get-ADDefaultDomainPasswordPolicy | Select LockoutDuration,LockoutObservationWindow,` LockoutThreshold | FL LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 6
# Method 2 : Get-ADObject
We can also use Get-ADObject to retrieve account lockout policy associated properties from the domain naming context (defaultNamingContext).$RootDSE = Get-ADRootDSE $AccountPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property lockoutDuration,` lockoutObservationWindow, lockoutThreshold $AccountPolicy | Select Name,` @{n="Lockout duration";e={"$($_.lockoutDuration / -600000000) minutes"}},` @{n="Reset lockout counter";e={"$($_.lockoutObservationWindow / -600000000) minutes"}},` @{n="Lockout Threshold";e={"$($_.lockoutThreshold) invalid logon attempts"}} | FLThe above command returns the following results (Lockout duration, Reset lockout counter and Lockout Threshold).
Name : contoso Lockout duration : 30 minutes Reset lockout counter : 30 minutes Lockout Threshold : 6 invalid logon attempts
# Method 3 : net accounts
We can also use the following net command to look at the account lockout policy details.net accountsThis command returns the following results (Lockout duration (minutes), Lockout observation window (minutes) and Lockout threshold).
PS C:\> net accounts Force user logoff how long after time expires?: Never Minimum password age (days): 1 Maximum password age (days): 42 Minimum password length: 7 Length of password history maintained: 24 Lockout threshold: 6 Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: PRIMARY The command completed successfully.
No comments:
Post a Comment