Using PowerShell to audit AD password quality

Step 1: Retrieve users with weak passwords

Identify users with non-complex passwords. The script below lists accounts with no password requirement enabled.

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNotRequired | Where-Object { $_.PasswordNotRequired -eq $true }

Check accounts with passwords older than 180 days. The script below identifies users who haven't changed their password in six months.

$staleUsers = Get-ADUser -Filter {PasswordLastSet -lt (Get-Date).AddDays(-180)} -Properties PasswordLastSet

Export the list to a CSV file. This saves weak password data to a CSV for further analysis.

$staleUsers | Select-Object Name, SamAccountName, PasswordLastSet | Export-Csv -Path "C:\Reports\PasswordAudit.csv" -NoTypeInformation

Prompt affected users to reset passwords.

foreach ($user in $staleUsers) {

Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true

}

You can check the strength of AD passwords by running the script below. This retrieves users with weak password security.

Get-ADUser -Filter * -Properties Name, PasswordLastSet, badPwdCount

Yes, you can identify users with old passwords by running the script below.

Search-ADAccount -PasswordExpired

Use fine-grained password policies (FGPP) for stricter password rules.

Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true