Fine-Grained Password Policy einrichten
# Neue OU erstellen
New-ADOrganizationUnit ITAdmin
# Neue AD Gruppe erstellen
New-ADGroup -Name “ITAdmin”
-GroupScope Universal `
-Description “ITAdmin Special Password Policy” `
-GroupCategory “Security” `
-Path “OU=ITAdmin,DC=NDSEDV,DC=de” `
-SAMAccountName “ITAdmin” `
-PassThru
# Neuen Admin anlegen
New-ADUser -name “Joern Walter” `
-Givenname “Joern” `
-Surname “Walter” `
-Department “IT”
-Description “Chief of IT” `
-ChangePasswordAtLogon $True `
-EmailAddress “joern.walter@ndsedv.de” `
-Enabled $True `
-PasswordNeverExpires $False `
-SAMAccountname “Walter” `
-AccountPassword (ConvertTo-SecureString “!Password123” `
-AsPlainText `
-Force
-Title “Chief of IT” `
-PassThru
# Neuen IT Chief in die ITAdmin Gruppe aufnehmen
Add-ADPrincipalGroupMembership -Identity Walter `
-memberOf “ITAdmin” `
-PassThru
# Neue PSO erstellen
New-ADFineGrainedPasswordPolicy `
-description:”Minimum 12 Zeichen fuer alle ITAdmins.” `
-LockoutDuration 00:05:00 `
-LockoutObservationWindows 00:05:00 `
-LockoutThreshold 5 `
-MaxPasswordAge 90.00:00:00 `
-MinPasswordLength 12 `
-Name:”ITAdmins Pwd Policy” `
-Precedence 1 `
-PassThru
# Die neue Pwd Policy auf die Gruppe anwenden
Get-ADGroup -Identity “ITAdmin” `
| Add-ADFineGrainedPasswordPolicySubject `
-Identity “ITAdmins Pwd Policy”
# Pruefen
Get-ADFineGrainedPasswordPolicySubject -Identity “ITAdmins Pwd Policy”