~/blog/detect-ad-finegrained-policies
Published on

Detect if AD fine-grained password policies exist

Authors
  • avatar
    Name
    Jonathan Devere-Ellery
    Twitter

If you run the Get-ADFineGrainedPasswordPolicy powershell command on an account which doesn't have Domain Admin rights, then you do not get an error message, it simply gives no output. It's difficult to tell if it's because permissions aren't granted or if there are no actual FGP's existing in the Domain.

A non-Domain Admin is able to successully run the below command, even without permission to view the contents of FGP's. This lists all of the FGP's which are existing in the Password Settings Container.

Get-ChildItem "AD:\CN=Password Settings Container,CN=System,$((Get-ADDomain).DistinguishedName)" | Select DistinguishedName