# Password Policy

As an attacker, password policies are extremely important to enumerate for performing both credential-based attacks such as [password spraying](/pentesting/infrastructure/active-directory/password-spraying.md). 

### Enumerate Password Policy

```bash
# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''

# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol

# Get Password Policy with Net Accounts
net accounts

# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicy
```

### Fine-Grained Password Policy

```bash
# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *

# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity parzival

# Obtain FGPP via WMIC
wmic /namespace:\\ROOT\directory\LDAP PATH ds_msds_passwordsettings GET DS_DisplayName, ds_msds_PasswordSettingsPrecedence, ds_msds_LockoutObservationWindow, ds_msds_LockoutDuration, ds_msds_LockoutThreshold, ds_msds_PSOAppliesTo
```

### References

{% embed url="<https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/password-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.