How to validate a list of active directory credentials

Brian
Brian used Ask the Experts™
on
I have a list of usernames/passwords that were the initial passwords given, but should have been changed. I've been told that some of the users used the same password and we want to make sure the password has been changed. We now have a password policy in place for the group, but how can I check if the password has changed? Please note that users did enter a new password, but because a password policy was not in place at the time, some entered the original password as the new password.

I have a file in the following format of username,password:
john.smith,password1
janet.jones,password2
etc.

How can I test the credentials in this file against AD to see what users entered the same password?  I was thinking I would probably use either PowerShell, VBScript, C# or VB.net.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nathan HawkinsTechnical Lead - Network Security

Commented:
Security is something you should never guess or rely on users to support. It is simply up to the corporation to enforce security. I would simply force any and all users that were not under the policy to be forced to change their PW at their next login. I would send out an email explaining the need to change the password first, but I would simply enforce a password reset on the folks that may not have had one enforced the first time.
Why don"t use ADAC to configure  Password Policy Settings and activate Password History?
BrianSystems Administrator

Author

Commented:
I did use ADAC to configure the password policy, but it had not been added to the user group when they first started setting their passwords.  I don't want to make everyone change their passwords, just the few that entered the same password they were initially given.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Nathan HawkinsTechnical Lead - Network Security

Commented:
Again, you can work at trying to figure out (sort of) who needs to be enforced or simply make that group change their password and be done with it. I am pretty sure that there is no definitive way that you can create a list of who is on which side of this issue, and rather than guessing,m you enforce the policy so now everyone is compliant with your policy.

Again, if you send out an email socializing the issue and the reasons why its important that it needs to be corrected, and how you are correcting the issue, users tend to be accepting of corporate policy's that are there to protect everyone.
If you have the user list and password, you can make a PowerShell script to detect those users who used the list password:

(new-object directoryservices.directoryentry "", "domain\username", "password").psbase.name -ne $null

Open in new window


If this command returns "true", the user has used the same password.
BrianSystems Administrator

Author

Commented:
Juan, that's perfect!  I can make this work, but anyway I can output the name?  For example, if I do this...
(new-object directoryservices.directoryentry "", "domain\username", "password").psbase.name -ne $null >> c:\myDir\myFile.txt

Open in new window

The output is True or False. Anyway I can get it to write the username to the file when it's true?
Nathan HawkinsTechnical Lead - Network Security

Commented:
I honestly think that this is a mistake. I see potential holes that you might not get "All" of the users that didnt change their password. I maintain that the correct way is to enforce the policy on everyone, but I have said my piece and will let this go...

Goodluck!
BrianSystems Administrator

Author

Commented:
Thank you Juan for answering my question!
This is supposedly a temporary process. The complete powershell script:

$users=Get-Content -Path users_list.txt  # user,password list

$outusers=""

foreach( $user in $users){
    $v=$user.Split(",")
    $username=$v[0]
    $password=$v[1]

    if((new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null) {
        $outusers += $username + ","

    }
}

$outusers.Split(',') | Out-File -FilePath users_out.txt

Open in new window

Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Or without testing accounts you can simply pull their password hashes from AD
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.htm
lhttps://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html?searchNotTop10=true

You can convert the initial password to a MD5 hash and just search the result

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial