A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.
This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.
Download the software:
Copy the DSInternals directory to your PowerShell modules directory, e.g.
Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.
Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:
Password Password1 Contoso1
Then here’s an example script:
First set the password txt file.
Then set the Domain Contoller, in this case DC1
Then set the distinguished name of the OU and sub OUs you can to scan:
Note ” and ‘ are not showing up properly,
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts
$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts
Here’s an output:
Active Directory Password Quality Report ---------------------------------------- Passwords of these accounts are stored using reversible encryption: April Brad Don LM hashes of passwords of these accounts are present: These accounts have no password set: Guest nolan test Passwords of these accounts have been found in the dictionary: adam Pa$$w0rd peter July2016 Historical passwords of these accounts have been found in the dictionary: april Pa$$w0rd brad Pa$$w0rd These groups of accounts have the same passwords: Group 1: Aidan John Group 2: Joe JoeAdmin JoeVPN These computer accounts have default passwords: LON-CL2$ Kerberos AES keys are missing from these accounts: Julian Kerberos pre-authentication is not required for these accounts: Holly Chad Only DES encryption is allowed to be used with these accounts: Holly Jorgen These administrative accounts are allowed to be delegated to a service: Administrator April krbtgt Passwords of these accounts will never expire: Administrator Guest These accounts are not required to have a password: Guest Magnus Maria