Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory Complex Password Checking with Powershell

Posted on 2015-01-16
8
Medium Priority
?
1,697 Views
Last Modified: 2015-01-17
Greetings. We're migrating to Office 365, which requires complex passwords.

On our AD domain, we did not have a complex policy implemented.  I change Group Policy to now require complex passwords, so that when passwords are synced to Office 365/Azure (whichever method we use), they meet Office 365 requirements.

I know you can check the complex password requirements (true/false ... although "false" is irrelevant) with the remote Powershell.

Here's my question:  Is there a Powershell command/script that will notify me which on-premise AD users currently *do not* currently have complex passwords ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1600 total points
ID: 40554079
There is no attribute to show if the users actually got a complex password after you had made your Group Policy Change. You can expect that after you have made the policy change to your domain, the users are still able to use their current password until it either expires or they try to change it before the expiry.

Typically if you want to enforece this before their password expires you will need to force all users to reset there password in Active Directory Users and Computers.

If you do not want to do that and would rather let the expiry do the job you can do the following...

Use the PasswordLastSet attribute in AD to see if they have actually changed there password after you had applied the Password policy to the domain. Would look like this.
Lets say that the password policy was set 2 days ago (Jan 14th 2015)
Date = get-date
Get-Aduser -filter * -properties * | ? { $_.PasswordLastSet lt $date.adddays(-3)} | select Name, samaccountname, PasswordLastSet
}

Open in new window


The above command will get all of the users that have a PasswordLastSet of Jan 13th 2015. So by that you will know that they have not changed their password after you had made the policy change.

Will.
0
 
LVL 41

Assisted Solution

by:footech
footech earned 400 total points
ID: 40554088
No.  That would require you to access the SAM data and crack the passwords.

Your best bet is to just set all (or perhaps just those who haven't changed their password since your policy went into effect) users so that they have to change their password on next logon.  However, depending on your environment that could be a while for some users.  Forcing logout can be somewhat draconian, but it's an option.
0
 

Author Comment

by:lapavoni
ID: 40554669
OK, thanks both.  Looks like a Password Party is in the works one morning next week.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554701
Not sure how the second comment was the answer as I had stated basically what was said and provided an alternative script.

Anyways just pointing that out.

Will.
0
 

Expert Comment

by:sphilip951
ID: 40554820
Agreed Will..
0
 

Author Comment

by:lapavoni
ID: 40554821
I requested the moderator award you 500 points, Will.  Thanks.
0
 
LVL 41

Expert Comment

by:footech
ID: 40554894
When comments are posted at the same time (within 5-10 min), if they both provide correct advice, it's appropriate to split points.  However, Will's advice is more comprehensive than mine.  If I were the one who asked the question, I would probably accept Will's as the accepted solution, and mine as the assisted solution, awarding 350-400 points and 100-150 points respectively.
0
 

Author Closing Comment

by:lapavoni
ID: 40555347
I read both comments again. Will answered my question. footech added a bit of information about why it can't be done (accessing SAM data and cracking passwords). Thanks again.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
Loops Section Overview
Screencast - Getting to Know the Pipeline

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question