?
Solved

Active Directory Complex Password Checking with Powershell

Posted on 2015-01-16
8
Medium Priority
?
1,312 Views
Last Modified: 2015-01-17
Greetings. We're migrating to Office 365, which requires complex passwords.

On our AD domain, we did not have a complex policy implemented.  I change Group Policy to now require complex passwords, so that when passwords are synced to Office 365/Azure (whichever method we use), they meet Office 365 requirements.

I know you can check the complex password requirements (true/false ... although "false" is irrelevant) with the remote Powershell.

Here's my question:  Is there a Powershell command/script that will notify me which on-premise AD users currently *do not* currently have complex passwords ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1600 total points
ID: 40554079
There is no attribute to show if the users actually got a complex password after you had made your Group Policy Change. You can expect that after you have made the policy change to your domain, the users are still able to use their current password until it either expires or they try to change it before the expiry.

Typically if you want to enforece this before their password expires you will need to force all users to reset there password in Active Directory Users and Computers.

If you do not want to do that and would rather let the expiry do the job you can do the following...

Use the PasswordLastSet attribute in AD to see if they have actually changed there password after you had applied the Password policy to the domain. Would look like this.
Lets say that the password policy was set 2 days ago (Jan 14th 2015)
Date = get-date
Get-Aduser -filter * -properties * | ? { $_.PasswordLastSet lt $date.adddays(-3)} | select Name, samaccountname, PasswordLastSet
}

Open in new window


The above command will get all of the users that have a PasswordLastSet of Jan 13th 2015. So by that you will know that they have not changed their password after you had made the policy change.

Will.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 400 total points
ID: 40554088
No.  That would require you to access the SAM data and crack the passwords.

Your best bet is to just set all (or perhaps just those who haven't changed their password since your policy went into effect) users so that they have to change their password on next logon.  However, depending on your environment that could be a while for some users.  Forcing logout can be somewhat draconian, but it's an option.
0
 

Author Comment

by:lapavoni
ID: 40554669
OK, thanks both.  Looks like a Password Party is in the works one morning next week.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554701
Not sure how the second comment was the answer as I had stated basically what was said and provided an alternative script.

Anyways just pointing that out.

Will.
0
 

Expert Comment

by:sphilip951
ID: 40554820
Agreed Will..
0
 

Author Comment

by:lapavoni
ID: 40554821
I requested the moderator award you 500 points, Will.  Thanks.
0
 
LVL 40

Expert Comment

by:footech
ID: 40554894
When comments are posted at the same time (within 5-10 min), if they both provide correct advice, it's appropriate to split points.  However, Will's advice is more comprehensive than mine.  If I were the one who asked the question, I would probably accept Will's as the accepted solution, and mine as the assisted solution, awarding 350-400 points and 100-150 points respectively.
0
 

Author Closing Comment

by:lapavoni
ID: 40555347
I read both comments again. Will answered my question. footech added a bit of information about why it can't be done (accessing SAM data and cracking passwords). Thanks again.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question