====== Active Directory Password Policy ======

===== Check a User's Password and Policy =====

Check when a user password expires:

<file>
net user USERNAME /domain

Get-ADUserResultantPasswordPolicy USERNAME
</file>

===== Default Domain Password Policy =====

<file>
Get-ADDefaultDomainPasswordPolicy
</file>

{{ :networking:windows:active_directory:ad-default-domain-password-policy.png?direct&750 |Default Domain Password Policy}}

===== Fine-Grained Password Policy =====

https://specopssoft.com/blog/check-password-requirements-active-directory/

http://techgenix.com/configuring-fine-grained-password-policies/

**CloudPanel**: https://kb.knowmoreit.com/how-to/setting-up-user-password-expiring-notices/

{{ :networking:windows:active_directory:ad-fine-grained-password-policy.png?direct&650 |Fine-Grained Password Policy}}

==== Show Fine-Grained Password Policies ====

<file>
Get-ADFineGrainedPasswordPolicy -Filter *
</file>

==== Show Per User Policy ====

<file>
Get-ADUserResultantPasswordPolicy username
</file>

Or to show all users:

<file>
function Get-MTUserPasswordPolicy ($Identity)
{
    $Fgpp = (Get-ADUserResultantPasswordPolicy -Identity $Identity).Name
    [string]$Policy = switch ($Fgpp)
    {
        $null {"Default Domain Policy"}
        {!($null)} {$Fgpp}
    }
    
    $Return = New-Object -TypeName PSObject
    $Return | Add-Member -MemberType NoteProperty -Name Identity -Value $Identity
    $Return | Add-Member -MemberType NoteProperty -Name PasswordPolicy -Value $Policy
    
    return $Return
}
</file>

Then call the function:

<file>
Get-ADUser -Filter {Enabled -eq $True} | ForEach-Object {Get-MTUserPasswordPolicy -Identity $_.SamAccountName}
</file>