Audit your Active Directory user passwords with PowerShell or other free tools

Trust to your users is one thing but make sure that your user listening and really applying good password is another. It is good practice  to run quick audit on your user account passwords in Active Directory and found those weak passwords that can cause problems down the road. The password policy within Active Directory enforces password length, complexity, and history.  This does not in any way control what the password is, just how long it is and what characters are inside of it.  Many people will use easily guessable passwords like Company123 or Password!@# because they technically meet the standards but are easy for them to remember.

Here is short list what I am using from time to time to audit my user base passwords in Active Directory:

  1. THYCOTIC WEAK PASSWORD FINDER – free tool and great report options upon finishing up the scan.
  2. KNOWBE4 WEAK PASSWORD TEST – also free tool with great reporting options upon finishing up the scan.
  3. WEAK USER PASSWORD TOOL – not bad tool, also ability to export report to CSV file, not my favorite one.
  4. DSInternals PowerShell module — this is one of my favorite one as you can add more passwords to your Password list and run this PowerShell module quickly against your Active Directory

Here is the snippet for the DSInternal module in PowerShell:

Import-Module ActiveDirectory
Import-Module DSInternals
 
$DictFile = "C:\Scripts\passlist.txt"
$DC = "Domain Controller"
$Domain = "DC=Domain,DC=Domain"
$Dict = Get-Content $DictFile | ConvertTo-NTHashDictionary
 
Get-ADReplAccount -All -Server $DC -NamingContext $Domain | Test-PasswordQuality -WeakPasswordHashes $Dict -ShowPlainTextPasswords -IncludeDisabledAccounts | Out-File C:\Reports\Password_results.txt

If you want a good password list you can get the latest password list from this link: SkullSecurity.