Auditing Active Directory Password Quality

Overview

The latest version of the DSInternals PowerShell Module contains a new cmdlet called Test-PasswordQuality, which is a powerful yet easy to use tool for Active Directory password auditing. It can detect weak, duplicate, default, non-expiring or empty passwords and find accounts that are violating security best practices. All domain administrators can now audit Active Directory passwords on a regular basis, without any special knowledge.

Usage

The Test-PasswordQuality cmdlet accepts output of the Get-ADDBAccount and Get-ADReplAccount cmdlets, so both offline (ntds.dit) and online (DCSync) analysis can be done:

Get-ADReplAccount -All -Server LON-DC1 -NamingContext "dc=adatum,dc=com" |
   Test-PasswordQuality -WeakPasswordHashesFile .\pwned-passwords-ntlm-ordered-by-count.txt -IncludeDisabledAccounts

Sample output:

Active Directory Password Quality Report
----------------------------------------

Passwords of these accounts are stored using reversible encryption:
  April
  Brad
  Don

LM hashes of passwords of these accounts are present:

These accounts have no password set:
  Guest
  nolan
  test

Passwords of these accounts have been found in the dictionary:
  adam
  peter

Historical passwords of these accounts have been found in the dictionary:
  april
  brad

These groups of accounts have the same passwords:
  Group 1:
    Aidan
    John
  Group 2:
    Joe
    JoeAdmin
    JoeVPN

These computer accounts have default passwords:
  LON-CL2$

Kerberos AES keys are missing from these accounts:
  Julian

Kerberos pre-authentication is not required for these accounts:
  Holly
  Chad

Only DES encryption is allowed to be used with these accounts:
  Holly
  Jorgen

These administrative accounts are allowed to be delegated to a service:
  Administrator
  April
  krbtgt

Passwords of these accounts will never expire:
  Administrator
  Guest

These accounts are not required to have a password:
  Guest
  Magnus
  Maria

Although the cmdlet output is formatted in a human readable fashion, it is still an object, whose properties can be accessed separately (e.g. $result.WeakPassword) to produce a desired output.

Credits

I would like to thank Jakob Heidelberg for his idea to use the DSInternals module for password auditing. A big thank you also goes to Ondrej Sevecek for sharing his comprehensive auditing tool called SAPHA, from which I borrowed ideas for a few tests.