Powershell cmdlets

All operations that can be performed using the Specops Password Policy administration tools can also be performed from Windows PowerShell.

NOTE

in order to run cmdlets, Windows Powershell 5.1 needs to be installed on the server running the Administration Tools.

Getting started

Specops Password Policy includes the following Windows PowerShell cmdlets. They are installed as a PowerShell module with the Specops Password Policy Admin Tools. You might have to start a new PowerShell Window after installing admin tools for the cmdlets to be available.

Administration cmdlets

For a list of all the Specops Password Policy administration cmdlets from Powershell, use the following command:

Copy

Get-Command –Module Specops.SpecopsPasswordPolicy

Creating a Specops Password Policy GPO

You can configure a password policy to use classic password rules.

Copy

$policy = New-PasswordPolicy
$policy.MinimumLength = 8
$policy.Digit = 1
Set-PasswordPolicy -GpoName SPP -Policy $policy

NOTE

GPO ID can also be used instead of GPO name. In that case, replace the -GpoName argument with -GpoId

Passphrase

You can configure a password policy to use passphrases.

Copy

$policy = New-PasswordPolicy
$policy.PhrasesMinimumLength = 25
$policy.PasswordPolicyType = "Passphrase"
Set-PasswordPolicy -GpoName SPP -Policy $policy

Both password rules and passphrase

You can configure a password policy to use both classic password rules and passphrases.

Copy

$policy = New-PasswordPolicy<br />
$policy.PasswordPolicyType = "Both"<br />
$policy.PhrasesMinimumLength = 25<br />
$policy.PhraseRegexDigit = $true<br />
$policy.MinimumLength = 8<br />
$policy.Digit = 1<br />
$policy.Upper = 1<br />  
Set-PasswordPolicy -GpoName SPP -Policy $policy

Removing a Specops Password Policy GPO

You can configure a password policy to use classic password rules.

Copy

$policy = New-PasswordPolicy
                $policy.MinimumLength = 8
                $policy.Digit = 1
            Remove-PasswordPolicy -GpoName SPP $policy

NOTE

GPO ID can also be used instead of GPO name. In that case, replace the -GpoName argument with -GpoId

Resolving a user’s Specops Password Policy GPO

A user’s Specops Password Policy GPO can be resolved. If the user isn’t affected by Specops Password Policy, nothing will be returned.

Example 1: Resolve policy using userPrincipalName

Copy

Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

Sample output:

Copy

PS C:\Scripts> Get-PasswordPolicyAffectingUser 'John.Doe@acme.org' | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Example 2: Resolve policy using sAMAccountName

Copy

Get-PasswordPolicyAffectingUser John | Format-List

Sample output:

Copy

PS C:\Scripts> Get-PasswordPolicyAffectingUser John | Format-List

GpoId : 31862cba-7bd9-4150-80cf-2ab23a896a41
GpoName : Specops Password Policy - High Privilege
PasswordPolicy : Specopssoft.SpecopsPasswordPolicy.AdministrationApi.PasswordPolicy

Enforcing Leaked Password Scanning

Breached password scanning is by default run by Specops Password Policy Sentinel on the PDC emulator every night when the Breached Password Protection list has been updated. If not updated, there is no need to do the scanning. The scanning can be enforced from the admin tool, or using the Start-PasswordPolicyPeriodicScanning cmdlet. When using the cmdlet, use parameters -BreachedPasswordProtectionExpress for running the Express scan, and -BreachedPasswordProtectionComplete for running the complete scan, respectively.

Example: Enforce nightly counting

Copy

Start-PasswordPolicyPeriodicScanning -BreachedPasswordProtectionExpress -Verbose

Sample output (successful):

Copy

PS C:\Scripts> Start-PasswordPolicyPeriodicScanning -BreachedPasswordProtectionExpress -Verbose<br />
VERBOSE: User counting started successfully.

Specops Breached Password Protection Express Cmdlets

Get status of Breached Password Protection Express (Get-SppBppExpressList)

This cmdlet gets the status of the Breached Password Protection Express list to determine if there is an update available online. Optionally, integrity of the downloaded Express list can be validated. Integrity validation will compare hashes of all Express list files in sysvol with their expected hash from the metadata file.

Copy

Get-PasswordPolicyBppExpressList [[-DomainName] <string>][-VerifyFileIntegrity]

Update Breached Password Protection Express List (Update-SppBppExpressList)

This cmdlet updates the Breached Password Protection Express list if there is an update available online.

Copy

Update-PasswordPolicyBppExpressList [-DomainName <string>] [-Force <SwitchParameter>] [-TempFolder <string>]