16.6. Viewing and Modifying the Account Lockout and Password Policies

Problem

You want to view the account lockout and password policies for a domain.

Solution

Using a graphical user interface

  1. Open the Default Domain Policy console (under Administrative Tools on a domain controller).

  2. In the left menu, expand Default Domain Policy Computer Configuration Windows Settings Security Settings Account Policies.

  3. Click on Password Policy or Account Lockout Policy and double-click the property you want to set or view in the right frame.

Using a command-line interface

> enumprop /ATTR:lockoutduration,lockoutthreshold,lockoutobservationwindow,maxpwdage,minpwdage,
minpwdlength,pwdhistorylength,pwdproperties "LDAP://<DomainDN>"

Using VBScript

' This code displays the current settings for the password 
' and account lockout policies.
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDN>" ' e.g., rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & _ objRootDSE.Get("defaultNamingContext") ) ' Hash containing the domain password and lockout policy attributes ' as keys and the units (e.g., minutes) as the values set objDomAttrHash = CreateObject("Scripting.Dictionary") objDomAttrHash.Add "lockoutDuration", "minutes" objDomAttrHash.Add "lockoutThreshold", "attempts" objDomAttrHash.Add "lockoutObservationWindow", "minutes" objDomAttrHash.Add "maxPwdAge", "minutes" objDomAttrHash.Add "minPwdAge", ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.