The Test-PasswordQuality cmdlet now supports cross-domain and cross-forest duplicate password discovery and offline password hash comparison against HaveIBeenPwned:
1 2 3 4 |
$contosoAccounts = Get-ADReplAccount -All -Server $env:LOGONSEVER $adatumCred = Get-Credential -Message 'Admin credentials for the adatum.com domain:' $adatumAccounts = Get-ADReplAccount -All -Server 'nyc-dc1.adatum.com' -Credential $adatumCred $contosoAccounts + $adatumAccounts | Test-PasswordQuality -WeakPasswordHashesSortedFile 'pwned-passwords-ntlm-ordered-by-hash-v5.txt' |
The output of the previous script might look like this (with some parts omitted):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Active Directory Password Quality Report ---------------------------------------- ... Passwords of these accounts have been found in the dictionary: ADATUM\larry_admin CONTOSO\harry ... These groups of accounts have the same passwords: Group 1: ADATUM\smith ADATUM\srv_sql01 Group 2: ADATUM\Administrator ADATUM\joe_admin CONTOSO\Administrator CONTOSO\joe_admin ... |
The example above uses the MS-DRSR protocol. Similar results can be achieved by using the Get-ADDBAccount cmdlet to read account information directly from a ntds.dit file.