Posted on October 5, 2016 · Posted in Active Directory, Powershell

Auditing Users Password Strength in AD

The complexity of a user password in Active Directory domain is one of the key security elements both for user data, and the entire domain. As a rule, users prefer to use weak, easy-to-remember passwords. Thus, they significantly reduce the level of protection against hackers for their accounts. In this article, we’ll show how to audit users password strenght  in Active Directory using PowerShell.

To test user password resistance to the attacks, we’ll use a third-party PowerShell module — DSInternals. This module contains a number of cmdlets that allow to perform different operations with AD database in online or offline mode (directly with ntds.dit). In particular, we are interested in Test-PasswordQuality cmdlet that allows to detect users having weak, similar, standard or blank passwords.

Note. Naturally, user passwords cannot be obtained from the AD database as plain text, but when comparing the password hashes of AD users to the hashes of words from the dictionary you can detect (or compare) user passwords.

How to Install DSInternals Module

In PowerShell 5 you can install DSInternals online from the official PowerShell script gallery as follows:

Install-Module DSInternals

In earlier PowerShell versions or in isolated systems, you have to download the .zip archive with the latest module version from GitHub ( By the time this article had been written, the latest release was DSInternals v2.16.1. Unzip this archive into one of the directories containing PowerShell modules:

  • C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
  • C:\Users\%username%\Documents\WindowsPowerShell\Modules\DSInternals

Or import the module using this command:

Import-Module C:\distr\PS\DSInternals\DSInternals.psd1

The list of available cmdlets can be obtained as follows:

Get-Command -Module DSInternals

Import DSInternals module

Password Dictionary

Then we’ll need a file containing the dictionary of often used or “bad” passwords. You can download it from the Internet or create yourself. User accounts in Active directory will be checked against the passwords from this dictionary. Let’s save the passwords in the text file PasswordDict.txt.

password dictionary file

Audit of AD Passwords Using Test-PasswordQuality

In the following variables, specify the path to the file with passwords, the domain name and the domain controller name.

$DictFile = "C:\distr\PS\DSInternals\PasswordDict.txt"
$DC = "lon-dc01"
$Domain = "DC=woshub,DC=loc"

Then get NT hashes for all passwords from the dictionary file to compare them to the password hashes of AD users:

$Dict = Get-Content $DictFile | ConvertTo-NTHashDictionary

Convert Passwort from Dictionary To NT Hash

Then using Get-ADReplAccount cmdlet, get the list of AD objects, the data of their NT and LM hashes, as well as the hash history. After that the password hash of each user will be compared to the hashes from the dictionary file.

Get-ADReplAccount -All -Server $DC -NamingContext $Domain |
Test-PasswordQuality -WeakPasswordHashes $Dict -ShowPlainTextPasswords -IncludeDisabledAccounts

The result of running the script may look like that:

Active Directory Password Quality Report


Passwords of these accounts are stored using reversible encryption:


LM hashes of passwords of these accounts are present:


These accounts have no password set:



Passwords of these accounts have been found in the dictionary:

gmiller            123qwe

dmitchellt              Pa$$w0rd

pvoeten             123qwe

bmccarthy          Pa$$w0rd

locadmin              Pa$$w0rd

jseale                  Pa$$w0rd


Historical passwords of these accounts have been found in the dictionary:

administrator        Pa$$w0rd

pvoeten             September2016

bmccarthy          August2016


These groups of accounts have the same passwords:

Group 1:





Group 2:




These computer accounts have default passwords:


Kerberos AES keys are missing from these accounts:


Kerberos pre-authentication is not required for these accounts:


Only DES encryption is allowed to be used with these accounts:


These administrative accounts are allowed to be delegated to a service:






Passwords of these accounts will never expire:



These accounts are not required to have a password:



Active Directory Password Quality Report

As you can see, AD users whose passwords coincide with those from the dictionary have been successfully found (user password history has been searched as well). Users having the same passwords have also been detected.

So, using this scenario you can easily analyze the quality of AD user passwords, their resistance against brute force, estimate the current policy of password complexity and make the necessary conclusions. Active Directory administrators can (and should) perform this audit regularly.

Related Articles