6.11. Viewing the Account Lockout and Password Policies

Problem

You want to view the account lockout and password policies for a domain.

Solution

Using a graphical user interface

  1. Open the Domain Security Policy snap-in.

  2. In the left menu, expand Default Domain Policy Computer Configuration Windows Settings Security Settings Account Policies.

  3. Click on Password Policy or Account Lockout Policy and double-click the property you want to set or view in the right frame.

Using a command-line interface

> enumprop /ATTR:[RETURN] 
lockoutduration,lockoutthreshold,lockoutobservationwindow,maxpwdage,minpwdage,[RETURN]
minpwdlength,pwdhistorylength,pwdproperties "LDAP://<DomainDN>"

Using VBScript

' This code displays the current settings for the password 
' and account lockout policies.
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDN>" ' e.g. rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & _ objRootDSE.Get("defaultNamingContext") ) ' Hash containing the domain password and lockout policy attributes ' as keys and the units (e.g. minutes) as the values set objDomAttrHash = CreateObject("Scripting.Dictionary") objDomAttrHash.Add "lockoutDuration", "minutes" objDomAttrHash.Add "lockoutThreshold", "attempts" objDomAttrHash.Add "lockoutObservationWindow", "minutes" objDomAttrHash.Add "maxPwdAge", "minutes" objDomAttrHash.Add "minPwdAge", "minutes" objDomAttrHash.Add "minPwdLength", ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.