Solved

Active Directory Complex Password Checking with Powershell

Posted on 2015-01-16
8
1,184 Views
Last Modified: 2015-01-17
Greetings. We're migrating to Office 365, which requires complex passwords.

On our AD domain, we did not have a complex policy implemented.  I change Group Policy to now require complex passwords, so that when passwords are synced to Office 365/Azure (whichever method we use), they meet Office 365 requirements.

I know you can check the complex password requirements (true/false ... although "false" is irrelevant) with the remote Powershell.

Here's my question:  Is there a Powershell command/script that will notify me which on-premise AD users currently *do not* currently have complex passwords ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 40554079
There is no attribute to show if the users actually got a complex password after you had made your Group Policy Change. You can expect that after you have made the policy change to your domain, the users are still able to use their current password until it either expires or they try to change it before the expiry.

Typically if you want to enforece this before their password expires you will need to force all users to reset there password in Active Directory Users and Computers.

If you do not want to do that and would rather let the expiry do the job you can do the following...

Use the PasswordLastSet attribute in AD to see if they have actually changed there password after you had applied the Password policy to the domain. Would look like this.
Lets say that the password policy was set 2 days ago (Jan 14th 2015)
Date = get-date
Get-Aduser -filter * -properties * | ? { $_.PasswordLastSet lt $date.adddays(-3)} | select Name, samaccountname, PasswordLastSet
}

Open in new window


The above command will get all of the users that have a PasswordLastSet of Jan 13th 2015. So by that you will know that they have not changed their password after you had made the policy change.

Will.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 100 total points
ID: 40554088
No.  That would require you to access the SAM data and crack the passwords.

Your best bet is to just set all (or perhaps just those who haven't changed their password since your policy went into effect) users so that they have to change their password on next logon.  However, depending on your environment that could be a while for some users.  Forcing logout can be somewhat draconian, but it's an option.
0
 

Author Comment

by:lapavoni
ID: 40554669
OK, thanks both.  Looks like a Password Party is in the works one morning next week.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554701
Not sure how the second comment was the answer as I had stated basically what was said and provided an alternative script.

Anyways just pointing that out.

Will.
0
 

Expert Comment

by:sphilip951
ID: 40554820
Agreed Will..
0
 

Author Comment

by:lapavoni
ID: 40554821
I requested the moderator award you 500 points, Will.  Thanks.
0
 
LVL 40

Expert Comment

by:footech
ID: 40554894
When comments are posted at the same time (within 5-10 min), if they both provide correct advice, it's appropriate to split points.  However, Will's advice is more comprehensive than mine.  If I were the one who asked the question, I would probably accept Will's as the accepted solution, and mine as the assisted solution, awarding 350-400 points and 100-150 points respectively.
0
 

Author Closing Comment

by:lapavoni
ID: 40555347
I read both comments again. Will answered my question. footech added a bit of information about why it can't be done (accessing SAM data and cracking passwords). Thanks again.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question