The complexity of a user password in Active Directory domain is one of the key security elements both for user data, and the entire domain. As a rule, users prefer to use weak, easy-to-remember passwords. Thus, they significantly reduce the level of protection against hackers for their accounts. In this article, we’ll show how to audit users password strenght in Active Directory using PowerShell.
To test user password resistance to the attacks, we’ll use a third-party PowerShell module — DSInternals. This module contains a number of cmdlets that allow to perform different operations with AD database in online or offline mode (directly with ntds.dit). In particular, we are interested in Test-PasswordQuality cmdlet that allows to detect users having weak, similar, standard or blank passwords.
How to Install DSInternals Module
In PowerShell 5 you can install DSInternals online from the official PowerShell script gallery as follows:
In earlier PowerShell versions or in isolated systems, you have to download the .zip archive with the latest module version from GitHub (https://github.com/MichaelGrafnetter/DSInternals/releases). By the time this article had been written, the latest release was DSInternals v2.16.1. Unzip this archive into one of the directories containing PowerShell modules:
Or import the module using this command:
The list of available cmdlets can be obtained as follows:
Get-Command -Module DSInternals
Then we’ll need a file containing the dictionary of often used or “bad” passwords. You can download it from the Internet or create yourself. User accounts in Active directory will be checked against the passwords from this dictionary. Let’s save the passwords in the text file PasswordDict.txt.
Audit of AD Passwords Using Test-PasswordQuality
In the following variables, specify the path to the file with passwords, the domain name and the domain controller name.
$DictFile = "C:\distr\PS\DSInternals\PasswordDict.txt"
$DC = "lon-dc01"
$Domain = "DC=woshub,DC=loc"
Then get NT hashes for all passwords from the dictionary file to compare them to the password hashes of AD users:
$Dict = Get-Content $DictFile | ConvertTo-NTHashDictionary
Then using Get-ADReplAccount cmdlet, get the list of AD objects, the data of their NT and LM hashes, as well as the hash history. After that the password hash of each user will be compared to the hashes from the dictionary file.
Get-ADReplAccount -All -Server $DC -NamingContext $Domain |
Test-PasswordQuality -WeakPasswordHashes $Dict -ShowPlainTextPasswords -IncludeDisabledAccounts
The result of running the script may look like that:
Active Directory Password Quality Report
Passwords of these accounts are stored using reversible encryption:
LM hashes of passwords of these accounts are present:
These accounts have no password set:
Passwords of these accounts have been found in the dictionary:
Historical passwords of these accounts have been found in the dictionary:
These groups of accounts have the same passwords:
These computer accounts have default passwords:
Kerberos AES keys are missing from these accounts:
Kerberos pre-authentication is not required for these accounts:
Only DES encryption is allowed to be used with these accounts:
These administrative accounts are allowed to be delegated to a service:
Passwords of these accounts will never expire:
These accounts are not required to have a password:
As you can see, AD users whose passwords coincide with those from the dictionary have been successfully found (user password history has been searched as well). Users having the same passwords have also been detected.
So, using this scenario you can easily analyze the quality of AD user passwords, their resistance against brute force, estimate the current domain password policy complexity and make the necessary conclusions. Active Directory administrators can (and should) perform this audit regularly.