Auditing Active Directory Password Strength

Auditing Active Directory Password Strength

Last week, we talked about password expiration, and the recent guidance that recommends doing away with them. But, those same papers recommended that you should beef up your password security in other ways. One way is by auditing the strength of your current passwords.

A great way to audit your Active Directory passwords is by using the Test-PasswordQuality cmdlet included in the excellent DSInternals Powershell module. This cmdlet will run several checks against all of your AD account passwords, and give you the details so that you can take action to fix these weaknesses.

It’s important to note that DSInternals is a third-party tool, so be sure to take that into account before following these instructions.

Install DSTools

If you’re running Powershell 5, you can use the Install-Module cmdlet to grab a copy of DSInternals from the official Powershell gallery:

Install-Module DSInternals

If you’re running an older version of Powershell, or need to install it on an internet-isolated system, head over to the GitHub page and grab the latest ZIP file.

Unzip this to one of the following Powershell directories:

  • C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
  • C:\Users\%username%\Documents\WindowsPowerShell\Modules\DSInternals

Or, just use the Import-Module command to import DSInternals.psd1

Confirm that you have it installed by running Get-Command -Module DSInternals

Setting Up the Test

To check your password quality against a list of known weak passwords, you’ll need to download a dictionary list. has password lists of various lengths. While a longer list will provide greater security, it will take much longer to run. Start with the Top 100,000 weakest passwords, and then go up from there.

Download the list as a text file, and save it somewhere convenient. Then, convert the plaintext passwords to NTLM hashes using the ConvertTo-NTHashDictionary cmdlet:

$dict = Get-Content C:\Temp\PasswordList.txt | ConvertTo-NTHashDictionary

This will store your hashes in a variable so the Test-PasswordQualidy cmdlet can use it later.

You’ll also need the name of your domain in LDAP format, e.g. dc=example,dc=com, and the name of your domain controller. We can store those in variables too:

$domain = “dc=example,dc=com”

$dc = “”

Running the Test

Now that we have all those components, it’s time to pull all the AD objects along with their NTLM hashes, and run the report.

The Get-ADReplAccount cmdlet will get the accounts, then we’ll pass it to the Test-PasswordQuality cmdlet to check the results.

Get-ADReplAccount -All -Server $dc -NamingContext $domain | Test-PasswordQuality -WeakPasswordHashes $dict -ShowPlainTextPasswords -IncludeDisabledAccounts

This command will output a nice report that lists the following password issues:

  • Accounts with passwords stored using reversible encryption, or with weak LM hashes
  • Accounts with no password
  • Accounts using the same password
  • Accounts with passwords set to never expire
  • And, of course, accounts with passwords that were on the list of weak passwords you supplied

Once you have that report, you’ll need to decide what action to take. For any accounts with irregular password security, like never-expiring passwords, find out if there is a documented reason for that security exception.

You’ll also want to notify users whose passwords appeared on the weak password list. However, they may need some training to help them to come up with a more secure password. We’ll cover how you can tackle that in next week’s article.


E-N Computers is here to help you with your IT security needs. Contact us today to find out why businesses all over Virginia, Maryland, and Washington, D.C. trust their IT resources to us.