Impact use Set-ADDefaultDomainPasswordPolicy

CMDlet poses a problem if several GPOs with password settings

The CMDlet Set-ADDefaultDomainPasswordPolicy achieves two things:

• modification of the associated Active Directory attribute
• file modification \\<sysvolPath>\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdi\GptTmpl.inf

However, if the command modifies an attribute that is not present in the Default Domain Policy GPO, it will not be written to the GPO file and will be overwritten if another GPO has this setting.

An example to explain this case:

• I have the GPO Default Domain Policy linked to the domain level. It defines only minPwdAge=1 and maxPwdAge=100. The rest is in Not defined.
• I have a GPO Pass-History-Length linked to the domain level. It defines the minimum length: minPwdLength = 10. The rest is in Not defined.

I use PowerShell to change the minimum length :

Get-ADDefaultDomainPasswordPolicy | Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 8

The result is :

• the attribute minPwdLength at the domain root is changed to 8 characters
• but as this parameter is not present in the Default Domain Policy, theGptTmpl.inf of the Default Domain Policy GPO is not modified. This means that the next time the GPOs are fully updated (DC restart or gpupdate /force), the Pass-History-Length GPO setting will take precedence and overwrite minPwdLength in the AD, which will revert to 10.

Information: AD attributes modified by password strategy

The AD parameters are :

• lockoutDuration
• lockOutObservationWindow
• lockoutThreshold
• maxPwdAge
• minPwdAge
• minPwdLength
• pwdHistoryLength
• pwdProperties (in particular for ComplexityEnabled et ReversibleEncryptionEnabled, see https://learn.microsoft.com/en-us/windows/win32/adschema/a-pwdproperties)