A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.
This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.
Download the software:
Copy the DSInternals directory to your PowerShell modules directory, e.g.
Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.
Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:
Then here’s an example script:
First set the password txt file.
Then set the Domain Contoller, in this case DC1
Then set the distinguished name of the OU and sub OUs you can to scan:
Note ” and ‘ are not showing up properly,
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary
Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' |
Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts
Here’s an output:
Active Directory Password Quality Report
Passwords of these accounts are stored using reversible encryption:
LM hashes of passwords of these accounts are present:
These accounts have no password set:
Passwords of these accounts have been found in the dictionary:
Historical passwords of these accounts have been found in the dictionary:
These groups of accounts have the same passwords:
These computer accounts have default passwords:
Kerberos AES keys are missing from these accounts:
Kerberos pre-authentication is not required for these accounts:
Only DES encryption is allowed to be used with these accounts:
These administrative accounts are allowed to be delegated to a service:
Passwords of these accounts will never expire:
These accounts are not required to have a password: