With PowerShell, we can build a tool that will let us test for weak passwords for all users in our Active Directory (AD) environment. In this article, we're going to cover a couple of different methods to find weak passwords in AD.

Adam Bertram

Adam Bertram is a 20-year IT veteran, Microsoft MVP, blogger, and trainer. Adam is the founder of the e-learning tech screencast platform TechSnips. Catch up on Adam’s articles at adamtheautomator.com, or follow TechSnips on Twitter at @techsnips_io.

If you're an AD administrator, you're undoubtedly aware that allowing users to control their own passwords can sometimes get a little tricky. Users want passwords easy to remember, yet administrators want secure passwords. Typically, a good password policy can force good passwords, but on occasions without such a policy, there's still hope.

Testing for weak passwords with DSInternals ^

The first method we can use to find weak passwords is the DSInternals PowerShell module. This is a community module Michael Grafnetter built and is available on GitHub. This module is also available in the PowerShell Gallery, so let's run Install-Module to download and install it.

The DSInternals module has a handy function called Test-PasswordQuality that allows us to perform many different checks at once. This function checks for weak passwords via a predefined list, duplicate passwords, default passwords set via the administrator but not changed, and finally empty passwords.

Using Test-PasswordQuality is pretty simple. To use all of its features, I've created a text file called passwords.txt containing a few simple passwords delimited by a new line. Once I have created this text file, I can then use it to pass data to the Test-PasswordQuality command, which will check each password in the list against each AD user I pass to the function.

Below is an example of how to run this function. Since the Test-PasswordQuality function needs attributes not natively returned by more common AD cmdlets like Get-AdUser, the DSInternals module has its own command called Get-ADReplAccount. In my example below, I'm finding all AD users in my techsnips.local domain and querying the domain controller called DC.

Once Get-AdReplAccount finds all the AD users, I'm then passing each of those users to Test-PasswordQuality. I'm then providing it that list of passwords I created earlier to check against, and I'm also checking for weak passwords on disabled accounts since it excludes those by default.

Once this code finishes running, it will present you with an Active Directory Password Quality Report. As you can see below, it contains lots of useful information about the passwords used with your AD user accounts!

Active Directory Password Quality Report

Active Directory Password Quality Report

Other examples for testing weak passwords ^

If you do have a strong password policy in place (and you should!), we can also test passwords a few different ways from an existing list rather than just using the Test-PasswordQuality command.

For example, we can ensure a password meets the minimum password length.

We can also ensure the password is not the same as the samAccountName.

And in this final example, we can ensure a password meets complexity standards set by the password policy. Below, I'm checking a password to ensure it matches various regex patterns.

Summary ^

With a little PowerShell and some knowledge about how to identify weak passwords, you can build some useful tools to ensure your AD user passwords are always the most secure they can be.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
  • avatar
Share
2 Comments
  1. Techman 10 months ago

    Thanks
    Is this going to lock all account if you have account lockout policies in place?!

    1+

    Users who have LIKED this comment:

    • avatar
    • Luc Fullenwarth 10 months ago

      @Techman

      The Test-PasswordQuality cmdlet does not try to authenticate with the weak password list.

      1. The Get-ADReplAccount cmdlet fetches some useful account information, including the password hash.
      2. This information is then piped to the Test-PasswordQuality cmdlet which uses the password hash to compare it against a list of weak passwords.

      I have tried it in live, and as expected the test account has not been locked out.

      1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account