Solved

Active Directory Complex Password Checking with Powershell

Posted on 2015-01-16
8
775 Views
Last Modified: 2015-01-17
Greetings. We're migrating to Office 365, which requires complex passwords.

On our AD domain, we did not have a complex policy implemented.  I change Group Policy to now require complex passwords, so that when passwords are synced to Office 365/Azure (whichever method we use), they meet Office 365 requirements.

I know you can check the complex password requirements (true/false ... although "false" is irrelevant) with the remote Powershell.

Here's my question:  Is there a Powershell command/script that will notify me which on-premise AD users currently *do not* currently have complex passwords ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 40554079
There is no attribute to show if the users actually got a complex password after you had made your Group Policy Change. You can expect that after you have made the policy change to your domain, the users are still able to use their current password until it either expires or they try to change it before the expiry.

Typically if you want to enforece this before their password expires you will need to force all users to reset there password in Active Directory Users and Computers.

If you do not want to do that and would rather let the expiry do the job you can do the following...

Use the PasswordLastSet attribute in AD to see if they have actually changed there password after you had applied the Password policy to the domain. Would look like this.
Lets say that the password policy was set 2 days ago (Jan 14th 2015)
Date = get-date
Get-Aduser -filter * -properties * | ? { $_.PasswordLastSet lt $date.adddays(-3)} | select Name, samaccountname, PasswordLastSet
}

Open in new window


The above command will get all of the users that have a PasswordLastSet of Jan 13th 2015. So by that you will know that they have not changed their password after you had made the policy change.

Will.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 100 total points
ID: 40554088
No.  That would require you to access the SAM data and crack the passwords.

Your best bet is to just set all (or perhaps just those who haven't changed their password since your policy went into effect) users so that they have to change their password on next logon.  However, depending on your environment that could be a while for some users.  Forcing logout can be somewhat draconian, but it's an option.
0
 

Author Comment

by:lapavoni
ID: 40554669
OK, thanks both.  Looks like a Password Party is in the works one morning next week.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554701
Not sure how the second comment was the answer as I had stated basically what was said and provided an alternative script.

Anyways just pointing that out.

Will.
0
 

Expert Comment

by:sphilip951
ID: 40554820
Agreed Will..
0
 

Author Comment

by:lapavoni
ID: 40554821
I requested the moderator award you 500 points, Will.  Thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 40554894
When comments are posted at the same time (within 5-10 min), if they both provide correct advice, it's appropriate to split points.  However, Will's advice is more comprehensive than mine.  If I were the one who asked the question, I would probably accept Will's as the accepted solution, and mine as the assisted solution, awarding 350-400 points and 100-150 points respectively.
0
 

Author Closing Comment

by:lapavoni
ID: 40555347
I read both comments again. Will answered my question. footech added a bit of information about why it can't be done (accessing SAM data and cracking passwords). Thanks again.
0

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
A procedure for exporting installed hotfix details of remote computers using powershell
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now