AdsiPS

1.0.0.3

Public/Get-ADSIFineGrainedPasswordPolicy.ps1

function Get-ADSIFineGrainedPasswordPolicy
{
<#
.SYNOPSIS
    This function will query and list Fine-Grained Password Policies in Active Directory
 
.DESCRIPTION
    This function will query and list Fine-Grained Password Policies in Active Directory
    it return
    name : the Name of the Policy
    MinimumPasswordLength : Minimum PassWord Size int
    passwordreversibleencryptionenabled : Encryption Type reversible (not secure) or not
    minimumpasswordage : The number of day before the user Can change the password
    maximumpasswordage : The number of day that a password can be used before the system requires the user to change it
    passwordcomplexityenabled : True of Fals
    passwordsettingsprecedence : Integer needed to determine which policy to apply in a user is mapped to more than one policy
    lockoutduration : Time in minute before reseting failed logon count
    lockoutobservationwindow : Time between 2 failed logoin attemps before reseting the counter to 0
    lockoutthreshold : Number of failed login attempt to trigger lockout
    psoappliesto : Groups and/or Users
    WhenCreated
    WhenChanged
 
.PARAMETER Name
    Specify the name of the policy to retreive
     
.PARAMETER Credential
    Specify the Credential to use
 
.PARAMETER DomainDistinguishedName
    Specify the DistinguishedName of the Domain to query
     
.PARAMETER SizeLimit
    Specify the number of item(s) to output
     
.EXAMPLE
    Get-ADSIFineGrainedPasswordPolicy
    Retreive all the password policy on the current domain
 
.EXAMPLE
    Get-ADSIFineGrainedPasswordPolicy -Name Name
    Retreive the password policy nammed 'Name' on the current domain
     
.NOTES
    Francois-Xavier Cat
    LazyWinAdmin.com
    @lazywinadm
    github.com/lazywinadmin/AdsiPS
    Olivier Miossec
    @omiossec_med
#>
    


    [CmdletBinding()]
    PARAM (
        [Parameter(ParameterSetName = "Name")]
        [String]$Name,
            
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [Alias("Domain", "DomainDN", "SearchRoot", "SearchBase")]
        [String]$DomainDistinguishedName = $(([adsisearcher]"").Searchroot.path),
        
        [Alias("RunAs")]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential = [System.Management.Automation.PSCredential]::Empty,
        
        [Alias("ResultLimit", "Limit")]
        [int]$SizeLimit = '100'
    )
    PROCESS
    {
        TRY
        {
            $FunctionName = (Get-Variable -Name MyInvocation -ValueOnly -Scope 0).MyCommand

            Write-Verbose -Message "[$FunctionName] Create DirectorySearcher"
            $Search = New-Object -TypeName System.DirectoryServices.DirectorySearcher -ErrorAction 'Stop'
            $Search.SizeLimit = $SizeLimit
            $Search.SearchRoot = $DomainDistinguishedName
            $Search.filter = "(objectclass=msDS-PasswordSettings)"


            IF ($PSBoundParameters['name'])
            {
                $Search.filter = "(|(name=$name))"
                Write-Verbose -Message "[$FunctionName] Set Filter to '$($Search.filter)'"
            }

            IF ($PSBoundParameters['DomainDistinguishedName'])
            {
                IF ($DomainDistinguishedName -notlike "LDAP://*") { $DomainDistinguishedName = "LDAP://$DomainDistinguishedName" }#IF
                Write-Verbose -Message "Different Domain specified: $DomainDistinguishedName"
                $Search.SearchRoot = $DomainDistinguishedName
                Write-Verbose -Message "[$FunctionName] Set SearchRoot to '$($Search.SearchRoot)'"
            }
            IF ($PSBoundParameters['Credential'])
            {
                Write-Verbose -Message "[$FunctionName] Add Credential'"
                $Cred = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $DomainDistinguishedName, $($Credential.UserName), $($Credential.GetNetworkCredential().password)
                $Search.SearchRoot = $Cred
            }


            foreach ($Object in $($Search.FindAll()))
            {
                # Define the properties
                # The properties need to be lowercase!
                $Properties = @{
                    "name" = $Object.properties.name -as [string]
                    "passwordhistorylength" = $Object.Properties.Item("msds-passwordhistorylength") -as [int]
                    "minimumpasswordlength" = $Object.Properties.Item("msds-minimumpasswordlength") -as [int]
                    "passwordreversibleencryptionenabled" = $Object.Properties.Item("msds-passwordreversibleencryptionenabled") -as [string]
                    "minimumpasswordage" = $Object.Properties.Item("msds-minimumpasswordage") -as [string]
                    "maximumpasswordage" = $Object.Properties.Item("msds-maximumpasswordage") -as [string]
                    "passwordcomplexityenabled" = $Object.Properties.Item("msds-passwordcomplexityenabled") -as [string]
                    "passwordsettingsprecedence" = $Object.Properties.Item("msds-passwordsettingsprecedence") -as [string]
                    "lockoutduration" = $Object.Properties.Item("msds-lockoutduration") -as [string]
                    "lockoutobservationwindow" = $Object.Properties.Item("msds-lockoutobservationwindow") -as [string]
                    "lockoutthreshold" = $Object.Properties.Item("msds-lockoutthreshold") -as [string]
                    "psoappliesto" = $Object.Properties.Item("msds-psoappliesto") -as [string]
                    "WhenCreated" = $Object.properties.whencreated -as [string]
                    "WhenChanged" = $Object.properties.whenchanged -as [string]
                }
                
                # Output the info
                New-Object -TypeName PSObject -Property $Properties
            }

        }
        CATCH
        {
            # Return current error
            $PSCmdlet.ThrowTerminatingError($_)
        }
    }
    END
    {
        Write-Verbose -Message "[$FunctionName] Done"
    }
}