Get Active Directory users with pwned passwords using PowerShell
The PowerShell script given below will inform whether the password provided has been breached before during cyberattacks. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers an integration with the 'Have I Been Pwned?' service to inform users if the new password provided during the password reset or change has been breached before. Here is a comparison between identifying whether a password has been breached or not using PowerShell and ADSelfService Plus.
Install-Script -Name Get-PwnedPassword
Once the package has been installed, run this script to determine if the password you provide has been breached or not.
Get-PwnedPassword <enter the password>
With ADSelfService Plus
- Go to Admin > Product Settings > Integration Settings.
- In the Integration Settings section, click Have I Been Pwned, and then click Enable HaveIBeenPwned Integration.
- Once this integration is successful, whenever a user resets or changes their password in ADSelfService Plus, an error message will pop up if the new password they provide has been breached.
- Quick configuration:
The Have I Been Pwned? integration with ADSelfService Plus can be enabled with minimal steps.
- Password Policy Enforcer:
Another ADSelfService Plus feature that prevents users from creating weak passwords that are vulnerable to hacks is the Password Policy Enforcer. With this feature, administrators can create a custom password policy containing rules to blacklist breached passwords, prevent common patterns, and more to ensure that users create strong passwords. This password policy can be enforced during passwords reset and changes using ADSelfService, native password changes (password change using the Ctrl+Alt+Del console and password reset using the Active Directory Users and Computers (ADUC) console).