Discover Domain Password Policy
Domain Password Policy
Domain password policy is easily enumerated using either "net accounts" or the AD PowerShell module "Get-ADDefaultDomainPasswordPolicy".
Get-ADDefaultDomainPasswordPolicyIdentify Fine-Grained Password Policies
If the Domain Functional Level (DFL) is set to "Windows Server 2008" or higher, a newer feature called Fine-Grained Password Policy (FGPP) is available to provide a wide variety of password policies that can be applied to users or groups (not OUs). While Microsoft made Fine-Grained Password Policies available starting with Windows Server 2008 (DFL), the Active Directory Administrative Center (ADAC) wasn't updated to support FGPP administration until Windows Server 2012. Enabling "Advanced Features" from the "View" menu option in Active Directory Users and Computers and then browsing down to System, Password Settings Container (CN=Password Settings Container,CN=System,DC=DOMAIN,DC=COM) will typically display any domain FGPP objects.
FGPP over-rides the domain password policy settings and can be used to require stricter password policies or enable less-restrictive settings for a subset of domain users.
Get-ADFineGrainedPasswordPolicy -Filter *Last updated