Create a New Fine-Grained Password Policy

Applies To: Windows Server 2008 R2

This topic explains how to use the Active Directory module for Windows PowerShell to create a new fine-grained password policy.

Example 1

The following example demonstrates how to create a new fine-grained password policy for the domain users in the Fabrikam.com domain:

New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy"-DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "60.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false

Example 2

The following example is a sample script that demonstrates how to create a new fine-grained password policy from a template:

$templatePSO = New-Object Microsoft.ActiveDirectory.Management.Commands.ADFineGrainedPasswordPolicy
$templatePSO.ComplexityEnabled = $true
$templatePSO.LockoutDuration = [TimeSpan]::Parse("0.12:00:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutObservationWindow = [TimeSpan]::Parse("0.00:15:00")
$templatePSO.LockoutThreshold = 10
$templatePSO.MinPasswordAge = [TimeSpan]::Parse("0.00:10:00")
$templatePSO.PasswordHistoryCount = 24
$templatePSO.ReversibleEncryptionEnabled = $false
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "SvcAccPSO" -Precedence 100 -Description "The Service Accounts Password Policy" -DisplayName "Service Accounts PSO" -MaxPasswordAge "30.00:00:00" -MinPasswordLength 20
New-ADFineGrainedPasswordPolicy -Instance $templatePSO -Name "AdminsPSO" -Precedence 200 -Description "The Domain Administrators Password Policy" -DisplayName "Domain Administrators PSO" -MaxPasswordAge "15.00:00:00" -MinPasswordLength 10

Additional information

You can use the following parameters when you set many of the common values that are associated with the creation of a new fine-grained password policy:

  • -ComplexityEnabled

  • -Description

  • -DisplayName

  • -LockoutDuration

  • -LockoutObservationWindow

  • -LockoutThreshold

  • -MaxPasswordAge

  • -MinPasswordAge

  • -MinPasswordLength

  • -PasswordHistoryCount

  • -ReversibleEncryptionEnabled

For a full explanation of the parameters that you can pass to New-ADFineGrainedPasswordPolicy, at the Active Directory module command prompt, type Get-Help New-ADFineGrainedPasswordPolicy –detailed, and then press ENTER.