The PowerShell script given below canbe used to list out all the domain user accounts with weak passwords in the Password Quality Report. The weak passwords are determined based on a predefined list, duplicate passwords, default passwords set by the administrator, and empty passwords. Alternatively you can also get the desired information without a PowerShell script using Weak Password Finder, a free tool offered by ManageEngine that finds and displays a list of users with weak passwords. ADSelfService Plus's Password Policy Enforcer helps you create a custom, stringent password policy thereby preventing the creation of weak passwords. Here is a comparison between auditing password quality of the domain accounts using PowerShell and ADSelfService Plus:
To create this script the DSInternals module must be downloaded form GitHub. It's Test-PasswordQuality function is used to audit the user accounts' password quality.
Run the below PowerShell script to install the DSInternals module:
Install-Module DSInternals Then create a text file with a list of weak passwords. Enter and run the PowerShell script provided below to generate the Password Quality Report.
$Passwords = "$($ENV:USERProfile)\Desktop\passwords.txt"
$Params = @{
"All" = $True
"Server" = 'DC'
"NamingContext" = 'dc=techsnips,dc=local'
}
Get-ADReplAccount @Params | Test-PasswordQuality -WeakPasswordsFile $Passwords -IncludeDisabledAccounts The Weak Password Finder helps you audit the password quality of user accounts in Active Directory by comparing users’ passwords against a pre-defined list of over commonly used weak passwords and generating a Weak Password Users Report as shown below:
Feature configuration is as simple as:
Apart from helping you find users with weak passwords, ADSelfService Plus' Password Policy Enforcer can also be used to create a customized password policy with rules for preventing dictionary passwords, patterns, and more for users accounts in specific domains, groups or OUs.
Identify users with non-complex passwords. The script below lists accounts with no password requirement enabled.
Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNotRequired | Where-Object { $_.PasswordNotRequired -eq $true }Check accounts with passwords older than 180 days. The script below identifies users who haven't changed their password in six months.
$staleUsers = Get-ADUser -Filter {PasswordLastSet -lt (Get-Date).AddDays(-180)} -Properties PasswordLastSetExport the list to a CSV file. This saves weak password data to a CSV for further analysis.
$staleUsers | Select-Object Name, SamAccountName, PasswordLastSet | Export-Csv -Path "C:\Reports\PasswordAudit.csv" -NoTypeInformationPrompt affected users to reset passwords.
foreach ($user in $staleUsers) {
Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true
}You can check the strength of AD passwords by running the script below. This retrieves users with weak password security.
Get-ADUser -Filter * -Properties Name, PasswordLastSet, badPwdCountYes, you can identify users with old passwords by running the script below.
Search-ADAccount -PasswordExpiredUse fine-grained password policies (FGPP) for stricter password rules.
Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true
