Using PowerShell to Check Lockout Threshold for Domains


Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to check the lockout threshold for several domains.

Hey, Scripting Guy! Question Hey, Scripting Guy! I have several domains in our forest, and it seems that some weasel got in and changed the lockout threshold in some of the child domains. I know we should have turned on auditing, but we did not. What I need right now is a way to find all of the domains that have been changed.

—MB

Hey, Scripting Guy! Answer Hello MB,

Microsoft Scripting Guy, Ed Wilson, is here. This weekend, there is a battle-of-the-bands going on in downtown Charlotte. I am thinking that the Scripting Wife and I may head down there. If we are lucky, they may play “Heard it Through the Pipeline” or “Highway to PowerShell.” 

MB, luckily, it is fairly easy to accomplish what you want to do. Here is an example you can use that would work for any property you want to check.

Get the domains in the forest

The first thing to do is to get a list of all of the domains in the forest. To do this, I can use the Get-ADForest cmdlet, and select only the domains. After I do that, I walk through the domains, get the default domain password policy for each domain, and compare it to a reference policy. When I have the comparison, I create a custom object for each domain policy that does not match. Here is how I go about it:

Import-Module activedirectory

$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com

Foreach ($domain in (Get-ADForest).domains)

I like to import the Active Directory module directly because it is a bit faster than doing a lookup and finding the module. Besides, I know that I am going to be using the Active Directory module, so it certainly does not hurt to import it.

Now I read the default domain password policy that I know is correct. I store this in a variable I call $Default, and then I get my collection of domains.

Check each domain

Now I need to get the default password policy for each domain in my collection of domains. I then use the Compare-Object cmdlet to compare the default policy with what I retrieved from the current domain. I am only comparing the LockOutThreshold. Here is the code that does this:

$p = Get-ADDefaultDomainPasswordPolicy -Identity $domain

 $diff = Compare-Object -ReferenceObject $default -DifferenceObject `

  $p -Property lockoutthreshold -PassThru

Because I use the –Passthru parameter, the difference objects return to the $diff variable I specified. I now want to walk through each of the objects stored in the $diff variable and look for a side indicator that is ‘<=’. This will mean that there is a difference between the reference object and the object I am comparing. When I find this difference, I grab the domain name and the lockout threshold and create a custom object. This code is shown here:

Foreach ($d in $diff)

     {if($d.sideindicator -eq ‘<=’)

      {[pscustomobject]@{

       ‘DomainName’ = $d.distinguishedname ;

       ‘LockOutThreshold’ = $d.LockoutThreshold}}}}

The complete script appears here:

Import-Module activedirectory

$default = Get-ADDefaultDomainPasswordPolicy -Identity nwtraders.com

Foreach ($domain in (Get-ADForest).domains)

{

 $p = Get-ADDefaultDomainPasswordPolicy -Identity $domain

 $diff = Compare-Object -ReferenceObject $default -DifferenceObject `

  $p -Property lockoutthreshold -PassThru

   Foreach ($d in $diff)

     {if($d.sideindicator -eq ‘<=’)

      {[pscustomobject]@{

       ‘DomainName’ = $d.distinguishedname ;

       ‘LockOutThreshold’ = $d.LockoutThreshold}}}}

MB, that is all there is to using Windows PowerShell to check Active Directory domain password policies. Active Directory Week will continue tomorrow when I will talk about more cool stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (1)

  1. GDeans says:

    I support a global forest with multiple domains and DMZ domains with trusts. Is there anything specific needed, either in the script or the domain trust, to use this to query a DMZ domain? I assume I would have to run this under a user account that has
    read access to the DMZ domain, but in a special case like this is there any additional code to consider or a specific configuration of the trust that would prevent this so I’m not beating my head against a wall because the domain admins have the trust setup
    so I can’t ever succeed?

    Also, I’ve noticed a lot of the domain related scripts and discussions normally center around the assumption that there is one domain where everything resides and they don’t consider multiple domains or user accounts which, from my experience, is fairly typical
    when dealing with Active Directory. Chasing referrals caused me quite a headache when I was starting out so I hope you could continue your work here but include those little things that will trip us up if we are in a more complex environment; that use an account
    in one domain to support another or have to deal with special trust situations like DMZ domains.

Skip to main content