Auditing Weak Passwords in Active Directory

The complexity of user passwords in an Active Directory domain is one of the most important elements in the security of user data and the overall infrastructure of the domain. Many users prefer the use of simple and easy to remember passwords, despite the recommendation not to use personal information, dictionary words and simple combinations as passwords. In this article we will show you how to verify Active Directory user passwords and how to find weak and simple passwords using PowerShell.

For example, even with a complex domain password policy, a user can technically set a weak or default password. B. Pa$w0rd or P@ssw0rd.


  • How do I install the DSInternals (Directory Services Internals) PowerShell module?
  • Search for weak Active Directory passwords using the cmdlet Test-PasswordQuality command.

How do I install the DSInternals (Directory Services Internals) PowerShell module?

To compare the password hashes of users stored in the Active Directory database (ntds.dit file) with the dictionary of plain and simple passwords, you can use the third party PowerShell tool, DSInternals. This module contains a set of commands to perform various actions on the AD database online or offline (directly from ntds.dit). We are particularly interested in the Test-PasswordQuality command, which allows us to detect users with weak, similar, default, empty (Password Not Required) passwords, or those whose passwords never expire.

Pay attention. Of course, user passwords cannot be extracted unencrypted from an AD database. Passwords stored in Active Directory will be hashed. However, you can compare AD users’ password hashes with word hashes from the dictionary file and find weak passwords.

In PowerShell version 5 (and later) you can install the DSInternals module online from the official PowerShell script gallery, as follows

DSInternals Installation Module

In earlier versions of PowerShell or in a disconnected environment, you should download a .zip archive of the latest version of the module from GitHub ( At the time of writing, the latest version of DSInternals was v4.4.1. Unpack this archive in one of the folders that contain the PowerShell modules:

  • C:Windows32WindowsPowerShellv1.0DSInternals modules
  • C:User%UserName%DocumentsWindowsPowerShellModuleDSInternals

Or import the DSInternals module into your current PowerShell session with this command:

Import modules C:distrPSDSInternalsDSInternals.psd1

If you receive an error while importing a module that cannot be loaded because script execution is disabled on that system, you must change PowerShell’s current execution policy to execute external PS scripts, at least in the current session:

Enforcement policy – Scope – Enforcement – Circumvention of policy – Strength

The list of available module commands can be viewed as follows:

Obtaining the command -Changing the DSInternals

Use the Test-PasswordQuality cmdlet to find weak passwords for Active Directory.

Then you need to create a password dictionary. This will be a simple text file with a list of weak passwords and other commonly used incorrect passwords. You can download a password dictionary file from the Internet or create one yourself. With the DSInternal module you can compare the password hashes of your users in Active Directory with the password hashes in this file. Save the passwords in the PasswordDict.txt text file.

Now create a small PowerShell script. In the following variables, enter the path to the password file, the domain name and the name of the :

$DictFile = C:distrPSDSInternalsPasswordDict.txt
$DC = lon-dc01
$Domain = DC=woshub,DC=loc

Then use the Get-ADReplAccount cmdlet to get a list of users in AD (e.g. Get-ADUser). Moreover, this command returns their NT and LM hashes and their hash history. Next, compare the password hashes for each user with the hashes in the dictionary file (the check is also performed with user accounts disabled):

Get-ADReplAccount -All -Server $DC -NameContext $Domain | TestPasswordsQuality -WeakPasswordsFile $DictFile -IncludedDiscreteAccounts

The result of the implementation of the scenario could be as follows

Active Directory Password Quality Report
These account passwords are stored with reversible encryption:
LM password hashes for these accounts are available:
These accounts have no passwords:
These account passwords can be found in the dictionary :
These account groups have the same password :
Group 1 :
Group 2 :
These computer accounts have standard passwords :
Kerberos AES keys are not present in these accounts:
Kerberos pre-authentication is not required for these accounts:
Only DES encryption is allowed for these accounts:
These administrative accounts may be delegated to the :
These account passwords never expire:
No password is required for these accounts:
These accounts, which require smartcard authentication, have a :

In previous versions of the DSInternal module, the ShowPlainText parameter was available to display the user’s password in plain text if the user’s hash was found in the dictionary. It is missing in the current version of Test-PasswordQuality. If you want to use an older version of the DSInternals module, install it with the command :

InstallModule -Title DSInternals -PequriedVerversion 2.23

A hash search is performed that includes the history of the user passwords stored in the AD. As you can see, AD users with simple passwords (passwords that match the dictionary) have been successfully found. Different users with the same password have also been found. This script helps you find accounts with simple passwords that are subject to a fine-grained password policy.

You can also perform an offline scan of the Active Directory database file (ntds.dit). You can obtain a copy of the ntds.dit file via a hidden copy or a backup of the domain controller.

To check usershashes in the ntds.dit file offline, use the following commands :

$keyboot= Get-BootKey -SystemHiveFilePath ‘C:ADBackupregistrySYSTEM’
Get-ADDBAccount -All -DatabasePath ‘C:ADBackupntds.dit -BootKey $keyboot | Test PasswordQuality -WeakPasswordsFile $DictFile

You can also export a list of all hashes to a text file:

Get-ADDBAccount -All -DBPath ‘C:ADBackupntds.dit’ -Bootkey $keyboot | Format-Custom -View HashcatNT | Out-File c:psad_hashes.txt -ASCII Encryption

There are no built-in tools to create a bad password list for Active Directory domain services. However, Azure AD Password Protection also allows you to lock (blacklist) certain passwords in your on-site Active Directory.

This script allows you to easily analyze the quality of the passwords of AD users and their resistance to brute force attacks, and draw conclusions about the current complexity of the password policy in the field. Active Directory administrators can (and should) perform these audits on a regular basis.

Related Tags:

alldocube x neo case,alldocube x review,chuwi hi9 plus xda,alldocube iplay 20 pro review,alldocube iplay 30,teclast t30 review,high tech tablets,chinese tablet reviews,new tablet news from china,telecast t30,alldocube iplay 20,alldocube x neo price,alldocube iplay 20 pro,teclast m40,teclast t30,teclast p20hd,alldocube x neo amazon,alldocube x neo aliexpress,alldocube x neo coupon,alldocube x neo malaysia,alldocube x user manual,alldocube x updates,alldocube x neo specs,alldocube x neo vs teclast t30,alldocube x neo vs iplay 20,alldocube x neo android 10,alldocube x neo snapdragon 660,alldocube iplay 20 review