EvotecIT
no -passwordquality still gathers hashes
when running Get-WinADForestInformation without the -passwordquality switch it still runs the Get-WinADDomainPassword function which uses dsinternals Get-ADReplAccount and gathers all of the users hashes which can set off security alerts. If wanting to run Get-WinADForestInformation and not have dsinternals run and not set off any security alerts due to password dumping it would be nice if not including the -passwordwuality switch would also not run Get-WinADDomainPassword function.
From my understanding of the original script, it's not a really a bug because the current PasswordQuality switch is here to test against hashes file.
But I agree, the current CMDlet arises security alerts.
Don't know how @PrzemyslawKlys wants to manage this but I can make a PR on this.
The simplest way is remove call to Get-WinADDomainPassword when PasswordQuality is present (some if to add). But maybe is not intended.
It should be fixed so simple fixes are the best. Especially that I believe this whole project needs a rebuild, but that is a bit complicated
Ok, i now see how that works. If you don't provide TypesRequired, it takes all types. PasswordQuality switch is pretty basic in what it does.
I wanted to check on this and see if the changes in the pull request by bastienperez fix the issue and can be committed?