get a list of AD users who are using weak passwords for windows 2012R2 domain

is there any method to get a list of AD users who are using weak passwords for windows 2012R2 domain.
LVL 13
upalakshithaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
Not easily.

You COULD obtain a copy of lophtcrack. This will attempt to try thousands of "common" passwords, and usually manages to guess a few in a large environment. Since this is CPU intensive, it is best run on a machine with a  powerful CPU and graphics card.

It is kinda expensive, but there is a 15 day demo if you just want to do a one-off audit.  (Edited, demo version is 15 days, not 30)

http://www.l0phtcrack.com/
Alex GreenProject Systems EngineerCommented:
Yeah, don't do the above thing, not needed at all


Don't be nice to your users, employ a complex password using group policy on your default domain policy and then run a script to force password change on next logon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
technically there is no way to retrieve user passwords using a script or via GUI. actually there is no such an API or backdoor available from Windows at all.

as mentioned above by Alex, just simply apply complex password for each user via GPO.
10 Holiday Gifts Perfect for Your Favorite Geeks

Still have some holiday shopping to do for the geeks in your life? While toys, clothing, games, and gift cards are still viable options for your friends and family, there’s more reason than ever to consider gadgets and software.

Shaun VermaakTechnical SpecialistCommented:
Please don't close your questions so quickly...

I have written 3 articles on this. It is a very easy process with DSInternals

How to create an Intelligent Password Policy for Active Directory
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html

Password Synchronization from one Active Directory Domain to another using DSInternals
https://www.experts-exchange.com/articles/32998/Password-Synchronization-from-one-Active-Directory-Domain-to-another-using-DSInternals.html

How to extract hashes from IFM backup
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

You COULD obtain a copy of lophtcrack. This will attempt to try thousands of "common" passwords, and usually manages to guess a few in a large environment. Since this is CPU intensive, it is best run on a machine with a  powerful CPU and graphics card.
No need. Hashkiller has over 829.726 billion hashes available online

technically there is no way to retrieve user passwords using a script or via GUI. actually there is no such an API or backdoor available from Windows at all.
There is to get password hash. It is the same as what is used when syncing password hashes to cloud providers. You don't even need DA rights, only directory sync rights

Don't be nice to your users, employ a complex password using group policy on your default domain policy and then run a script to force password change on next logon.
Be nice to your users. Even Password1 is considered a complex 8 character password according to AD and Password1Password1 a complex 16 character password
bbaoIT ConsultantCommented:
There is to get password hash

whats the specific Windows API to get a password hascose?

i am thinking it could be backdoor for the system as it is possible to retrieve a user’s password after comparing the password hash with other hash codes agaisnt existing, known passwords.
Shaun VermaakTechnical SpecialistCommented:
whats the specific Windows API to get a password hascose?
The same process Azure Active Directory Connect etc. uses when syncing password hashes. Read more on https://www.dsinternals.com/
It is opensource so go have a look https://github.com/MichaelGrafnetter/DSInternals
bbaoIT ConsultantCommented:
thanks for the clarification.

but are you sure https://dsinternal.com is a workable URL?
Shaun VermaakTechnical SpecialistCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.