Can you remember the last time you read IT related news and there was NO article about security breaches? Yeah, me neither. So it might be quite reasonable, to now and then check your Active Directory for accounts with weak or no passwords.

There are great guides and awesome tools out there to solve this – that’s why I didn’t invent anything new here, I just followed the linked guide and put it into an easy-to-use script.

Result / goal

Running the script will give you an output with the below information:

Active Directory Password Quality Report

Passwords of these accounts are stored using reversible encryption:
LM hashes of passwords of these accounts are present:
These accounts have no password set:
Passwords of these accounts have been found in the dictionary:
These groups of accounts have the same passwords:
These computer accounts have default passwords:
Kerberos AES keys are missing from these accounts:
Kerberos pre-authentication is not required for these accounts:
Only DES encryption is allowed to be used with these accounts:
These administrative accounts are allowed to be delegated to a service:
Passwords of these accounts will never expire:
These accounts are not required to have a password:
These accounts that require smart card authentication have a password:

How To:

  1. Create a folder, e.g. “Test-Passwordquality”
  2. Download DSInternals and unzip it into the new folder
  3. Create a file “Test-PasswordQuality.ps1” and paste the below code
  4. Create a file “MyPassword.txt” and enter all known or critical passwords you want to check
  5. Run the script: Test-Passwordquality.ps1 -Passwordlist MyPasswords.txt -Domain tech.contoso.com -Server dc1.contoso.com

The folder should then look like this:

The script:

<#
.SYNOPSIS
 Test-PasswordQuality
 
.DESCRIPTION
 Tests the password quality of all users in a specified domain by checking for empty passwords or well-known passwords from a provided list.
  
.PARAMETER 
 -Passwordlist
 Filename of the list of well-known passwords to check. Provide a .txt file.

.PARAMETER 
 -Domain
 Domain to be checked, e.g. tech.contoso.com
 
.PARAMETER 
 -Server
 Specifiy a server to connect to. Has to be a domain controller.
 
.INCLUDES
 Requires DSInternals PowerShell modules to be places in the subfolder "DSInternals". Download from: https://github.com/MichaelGrafnetter/DSInternals/releases

.EXAMPLE
 Test-Passwordquality.ps1 -Passwordlist MyPasswords.txt -Domain tech.contoso.com -Server dc1.contoso.com
 
.NOTES
 Version  : 1.0
 Created  : 2021-07-07
 Author   : Peter Stork-Post
 Source   : http://woshub.com/auditing-users-password-strength-in-ad/
 History  : -

#>


param (
    [String]$passwordList,
    [String]$domainName,
    [String]$server
)

# Get the execution path for further use
$executionpath = Split-Path $MyInvocation.MyCommand.Path

# Convert domain to distinguished name
$domainName = "DC=$($domainName.Replace('.',',DC='))"

# Convert passwordlist into full path
$passwordList = $executionpath + "\" + $passwordList

# Import the DSInternals PowerShell module downloaded from https://github.com/MichaelGrafnetter/DSInternals/releases
import-module ($executionpath + "\DSInternals\DSInternals.psd1")

# Get AD accounts including their hashes and hash history and check their quality
Get-ADReplAccount -All -Server $server -NamingContext $domainname | Test-PasswordQuality -WeakPasswordsFile $passwordList -IncludeDisabledAccounts

Sources / Additional information

http://woshub.com/auditing-users-password-strength-in-ad/

https://github.com/MichaelGrafnetter/DSInternals/releases