How to audit Active Directory Password Quality using PowerShell
The PowerShell script given below canbe used to list out all the domain user accounts with weak passwords in the Password Quality Report. The weak passwords are determined based on a predefined list, duplicate passwords, default passwords set by the administrator, and empty passwords. Alternatively you can also get the desired information without a PowerShell script using Weak Password Finder, a free tool offered by ManageEngine that finds and displays a list of users with weak passwords. ADSelfService Plus's Password Policy Enforcer helps you create a custom, stringent password policy thereby preventing the creation of weak passwords. Here is a comparison between auditing password quality of the domain accounts using PowerShell and ADSelfService Plus:
PowerShell
Run the below PowerShell script to install the DSInternals module:
Install-Module DSInternals
Then create a text file with a list of weak passwords. Enter and run the PowerShell script provided below to generate the Password Quality Report.
$Passwords = "$($ENV:USERProfile)\Desktop\passwords.txt" $Params = @{ "All" = $True "Server" = 'DC' "NamingContext" = 'dc=techsnips,dc=local' } Get-ADReplAccount @Params | Test-PasswordQuality -WeakPasswordsFile $Passwords -IncludeDisabledAccounts
ADSelfService Plus
Apart from helping you find users with weak passwords, ADSelfService Plus' Password Policy Enforcer can also be used to create a customized password policy with rules for preventing dictionary passwords, patterns, and more for users accounts in specific domains, groups or OUs.
- Quick configuration:
With ADSelfService Plus, you are just a few clicks away from auditing the password quality of user accounts and preventing the creation of weak passwords. But in PowerShell, you need to create, debug and run scripts.
- Compare passwords with an extensive list of weak passwords:
The Weak Password Finder tool contains a pre-defined list of over 100,000 commonly used weak passwords. Administrators can add other passwords that are considered to be common or weak to this list. On the other hand, in PowerShell, administrators need to create a list of weak passwords and mention its file path in the script.
- Detailed and exportable reports:
The Weak Password Users Report displays other user information such as sAMAccountName, department, OU, group and more. The report can also be exported as a CSV file. With PowerShell, the report will only display the user account's display name.
- Creating stringent password policies:
In ADSelfService Plus, customized password policies can be created with ease. The password policy rules that can be set include maximum password length, disallowing the use of dictionary words and palindrome, and specifying the minimum number of numeric characters, special characters, lowercase letters or uppercase letters to be included. PowerShell can also be used to create such rules but it requires extensive scripting knowledge.