# Password Policy

As an attacker, password policies are extremely important to enumerate for performing both credential-based attacks such as [password spraying](https://ttp.parzival.sh/pentesting/infrastructure/active-directory/password-spraying). 

### Enumerate Password Policy

```bash
# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''

# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol

# Get Password Policy with Net Accounts
net accounts

# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicy
```

### Fine-Grained Password Policy

```bash
# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *

# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity parzival

# Obtain FGPP via WMIC
wmic /namespace:\\ROOT\directory\LDAP PATH ds_msds_passwordsettings GET DS_DisplayName, ds_msds_PasswordSettingsPrecedence, ds_msds_LockoutObservationWindow, ds_msds_LockoutDuration, ds_msds_LockoutThreshold, ds_msds_PSOAppliesTo
```

### References

{% embed url="<https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/>" %}