Store weak passwords in a text file (C:\BlocklistPasswords.txt). Add more weak passwords to this list as needed.
password
123456
qwerty
admin
welcomeCompare a user’s password hash against the blocklist. This script below checks if any user is using a weak password.
$weakPasswords = Get-Content "C:\BlocklistPasswords.txt"
$users = Get-ADUser -Filter * -Properties msDS-UserPasswordExpiryTimeComputed
foreach ($user in $users) {
$password = ConvertTo-SecureString -String "userpassword" -AsPlainText -Force
if ($weakPasswords -contains $password) {
Write-Host "$($user.SamAccountName) has a weak password."
}
}Modify the default domain password policy to enforce complexity. This sets a minimum length of 12 characters, requires complex passwords, and locks the account after five failed attempts.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5Send email alerts to users found with weak passwords. This will prompt users to update weak passwords.
foreach ($user in $users) {
if ($weakPasswords -contains $user.Password) {
Send-MailMessage -To $user.EmailAddress -From "admin@yourdomain.com" -Subject "Weak Password Alert" -Body "Please change your password immediately."
}
}Run the script below to check for users who use weak or old passwords.
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object {($_.PasswordLastSet -eq $null) -or ($_.PasswordLastSet -lt (Get-Date).AddDays(-90))} Use fine-grained password policies (FGPP) and enforce complexity rules using the script below.
New-ADFineGrainedPasswordPolicy -Name "StrictPolicy" -Precedence 1 -MinPasswordLength 12 -ComplexityEnabled $trueThis requires passwords to be at least 12 characters long and complex.
Yes, check password history with the script below. This shows how many old passwords are stored in history to prevent reuse.
Get-ADUser -Identity username -Properties msDS-PasswordHistoryLength
