Solved

Active Directory Complex Password Checking with Powershell

Posted on 2015-01-16
8
885 Views
Last Modified: 2015-01-17
Greetings. We're migrating to Office 365, which requires complex passwords.

On our AD domain, we did not have a complex policy implemented.  I change Group Policy to now require complex passwords, so that when passwords are synced to Office 365/Azure (whichever method we use), they meet Office 365 requirements.

I know you can check the complex password requirements (true/false ... although "false" is irrelevant) with the remote Powershell.

Here's my question:  Is there a Powershell command/script that will notify me which on-premise AD users currently *do not* currently have complex passwords ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 40554079
There is no attribute to show if the users actually got a complex password after you had made your Group Policy Change. You can expect that after you have made the policy change to your domain, the users are still able to use their current password until it either expires or they try to change it before the expiry.

Typically if you want to enforece this before their password expires you will need to force all users to reset there password in Active Directory Users and Computers.

If you do not want to do that and would rather let the expiry do the job you can do the following...

Use the PasswordLastSet attribute in AD to see if they have actually changed there password after you had applied the Password policy to the domain. Would look like this.
Lets say that the password policy was set 2 days ago (Jan 14th 2015)
Date = get-date
Get-Aduser -filter * -properties * | ? { $_.PasswordLastSet lt $date.adddays(-3)} | select Name, samaccountname, PasswordLastSet
}

Open in new window


The above command will get all of the users that have a PasswordLastSet of Jan 13th 2015. So by that you will know that they have not changed their password after you had made the policy change.

Will.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 100 total points
ID: 40554088
No.  That would require you to access the SAM data and crack the passwords.

Your best bet is to just set all (or perhaps just those who haven't changed their password since your policy went into effect) users so that they have to change their password on next logon.  However, depending on your environment that could be a while for some users.  Forcing logout can be somewhat draconian, but it's an option.
0
 

Author Comment

by:lapavoni
ID: 40554669
OK, thanks both.  Looks like a Password Party is in the works one morning next week.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554701
Not sure how the second comment was the answer as I had stated basically what was said and provided an alternative script.

Anyways just pointing that out.

Will.
0
 

Expert Comment

by:sphilip951
ID: 40554820
Agreed Will..
0
 

Author Comment

by:lapavoni
ID: 40554821
I requested the moderator award you 500 points, Will.  Thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 40554894
When comments are posted at the same time (within 5-10 min), if they both provide correct advice, it's appropriate to split points.  However, Will's advice is more comprehensive than mine.  If I were the one who asked the question, I would probably accept Will's as the accepted solution, and mine as the assisted solution, awarding 350-400 points and 100-150 points respectively.
0
 

Author Closing Comment

by:lapavoni
ID: 40555347
I read both comments again. Will answered my question. footech added a bit of information about why it can't be done (accessing SAM data and cracking passwords). Thanks again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article runs through the process of deploying a single EXE application selectively to a group of user.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now