Auditing Active Directory Password Quality

August 7, 2016 | Michael Grafnetter

Overview

The latest version of the DSInternals PowerShell Module contains a new cmdlet called Test-PasswordQuality, which is a powerful yet easy to use tool for Active Directory password auditing. It can detect weak, duplicate, default, non-expiring or empty passwords and find accounts that are violating security best practices. All domain administrators can now audit Active Directory passwords on a regular basis, without any special knowledge.

Usage

The Test-PasswordQuality cmdlet accepts output of the Get-ADDBAccount and Get-ADReplAccount cmdlets, so both offline (ntds.dit) and online (DCSync) analysis can be done:

Although the cmdlet output is formatted in a human readable fashion, it is still an object, whose properties can be accessed separately (e.g. $result.WeakPassword) to produce a desired output.

Credits

I would like to thank Jakob Heidelberg for his idea to use the DSInternals module for password auditing. A big thank you also goes to Ondrej Sevecek for sharing his comprehensive auditing tool called SAPHA, from which I borrowed ideas for a few tests.


Tags: , ,

9 comments on “Auditing Active Directory Password Quality

  1. Denis says:

    Get-ADReplAccount : Cannot set percent because PercentComplete cannot be greater than 100.
    Parameter name: value
    Actual value was 101.
    At line:1 char:1
    + Get-ADReplAccount -All -Server dc-01 -NamingContext ” …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ADReplAccount], PSArgumentOutOfRangeException
    + FullyQualifiedErrorId : ArgumentOutOfRange,DSInternals.PowerShell.Commands.GetADReplAccountCommand

  2. Michael Grafnetter says:

    Thank you for reporting this, Denis. See the progress at GitHub.

  3. Thomas says:

    Hello Michael

    thank you very much for sharing your great tools and informations! It’s really strange that Microsoft does not provide such tools by itself.

    I’ve testet our password quality and we have a problem: for some tests, it’s very hard to guess which concrete problem the test is addressing. For example: “These administrative accounts are allowed to be delegated to a service”. Until today, I thought every Account can be delegated to a service – which is probably wrong.

    It would be great if you could add some keywords or links to the different tests, so that we can study the background and plan the next steps.

    Thanks a lot in advance,
    kind regards,
    Thomas

  4. Michael Grafnetter says:

    Hi Thomas, I admit that some some of those tests can only be understood by people with very deep AD knowledge. There is a good blog post about delegation written by a Microsoft employee. Also check out the Thycotic Weak Password Finder, which I have also programmed. It does the same tests as the Test-PasswordQuality cmdlet, is bundled with a nice list of common passwords and its reports contain simple explanations of the checks. Is there any other test you would like to know more about?

  5. Craig Atkins says:

    Hi Michael,

    How large can the password list be for this, and would we be able to calculate a password list once to NT Hashes and then save the hashes for quicker future audits on the same server?

    I’ve copied over the password list from your Weak Password Finder tool (which is very quick) and I’ve had the Test-PasswordQuality cmdlet running for around 20 mins without returning anything yet.

    Thanks!

    Craig

  6. Michael Grafnetter says:

    I haven’t implemented a way of serializing the hash table, because the calculation is very quick. The Test-PasswordQuality cmdlet should not run that long, even on large ADs. I think that I have tested it on a 30M list without any problems.

    There might be a bug in the cmdlet. Do you have any updates on it?

  7. Fran├žois says:

    Hi. After this test, I have users in the sections “LM hashes of passwords of these accounts are present:”. How do I fix the problem?

  8. Michael Grafnetter says:

    Dear Francois, you just change/reset their passwords.

  9. Matthew Dreher says:

    This utility is very helpful. I would also love to have a way of serializing the NT Hashes so that it can be imported and exported easily.

Leave a Reply

Your email address will not be published.