DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard

Published 20 hours ago verified publisher icon MichaelGrafnetter

OU Exclusion request for Test-PasswordQuality

Open gw1966 opened this issue 4 years ago • 11 comments

Hi.

We have a couple of OU's where users passwords don't expire for a particular reason.

I would like to exclude the accounts in those OU's from the Test-PasswordQuality "Passwords of these accounts will never expire" output?

Is this possible?

Thanks in advance. Grant.

gw1966 avatar Dec 02 '20 00:12 gw1966

Well, anything is possible in PowerShell, you just need to script it. Depending on your exact needs, you could do something like this:

$results = Get-ADReplAccount -All -Server DC01 | Test-PasswordQuality
$domainName = GetADDomain | Select-Object -ExpandProperty NetBIOSName
Get-ADUser -SearchBase 'OU=IgnoredOU,DC=example,DC=com' -Filter * | ForEach-Object {
   $results.PasswordNeverExpires.Remove("$domainName\$($PSItem.SamAccountName)")
}

MichaelGrafnetter avatar Dec 03 '20 15:12 MichaelGrafnetter

Hi Micheal, still playing with the script above. Slowly getting there.

Another enhancement request, if possible :)

Is there any way to list the Display names or descriptions of users in the output?

I am running the script to see if users are using the same password for there server logon account and notify them

Problem is that I have to look up each logon name as we use the employee id number?

Group 14: NTSH\74653 NTSH\z74653

Would love to see something like

Group 14: NTSH\74653 - John Smith NTSH\z74653 - John Smith Server logon

Is this possible?

Thanks, Grant

gw1966 avatar Jan 05 '21 03:01 gw1966

Hi @gw1966 , Test-PasswordQuality is currently only storing strings (SamAccountName), so I would need to rewrite some portions of it. But it is a good idea.

In the meantime, you could try something like this:

Install-Module -Name ConvertADName -Force

Get-ADReplAccount -All -Server localhost |
    Test-PasswordQuality |
    Select-Object -ExpandProperty WeakPassword |
    ForEach-Object { Convert-ADName -InitType GC -OutputType Display -UserName $PSItem }

MichaelGrafnetter avatar Jan 05 '21 08:01 MichaelGrafnetter

Hi. I have tried this but don't seem to get any output?

The convertADname module seemed to install fine

image

Using the normal command works fine. image

Not sure what I am doing wrong?

Sorry, just learning powershell as we go along. Thanks Grant

gw1966 avatar Jan 06 '21 00:01 gw1966

Hi Michael.

I have been on holiday and just got back, just wondering if you have had a play with the new feature yet?

I also have another suggestion. and I don't think any other product does this.

Is there a way to tell if a person has the same password from a previous date? For example, people can change their password back to the same one if they have the privilege or use a script to change it "x" number of times back to the same one. I know I can run a report on last changed password but it can never tell me if they have actually changed it to something else.

If the hash table could be saved encrypted and then compared to the downloaded hash table and then check the account name and highlight which account has the same password from last time?

Anyway, just an idea?

If these new features were added, I would actually be happy to "buy" this product.

Thanks, Grant

gw1966 avatar Jan 31 '21 05:01 gw1966

Hi. I have another enhancement request, we noticed a few people had changed the password in our network as per our policy every 30 days, but if they had the rights, they could change it back to the same password each time. Is there a way to compare Hash data for users to see if it's the same one dumped say 6 months ago to ensure they now have a totally different password?

I have looked on the internet and cant see if anyone is able to provide this script?

Thanks again in advance. Grant

gw1966 avatar Feb 18 '21 05:02 gw1966

@gw1966 Did they perform a password change or reset operation? Only admins can do a reset and thus bypass password history.

Hi. I have another enhancement request, we noticed a few people had changed the password in our network as per our policy every 30 days, but if they had the rights, they could change it back to the same password each time.

MichaelGrafnetter avatar Feb 23 '21 13:02 MichaelGrafnetter

Yes, Our Domain Admin users and delegated staff have rights to change their own password back again or just update their password before the expiry date to the same one, we also have some service account for applications that we just use normal user accounts with a password that never expires that we should change on a regular basis, but we cant check if they were all done or not?

Thanks Grant

gw1966 avatar Feb 23 '21 20:02 gw1966

@gw1966 As a quick solution, you could compare historical hashes of an account using HashEqualityComparer.

MichaelGrafnetter avatar Mar 05 '21 09:03 MichaelGrafnetter

Hi. I was just wondering if you ever got around to having the option to export a SamAccountName with your products output. I have tried all the above without luck so far :)

Grant

gw1966 avatar May 02 '21 23:05 gw1966

Hello @gw1966, I have a feeling that we are mixing too many things into this one thread. Another option would be doing something like this:

$accounts = Get-ADReplAccount -All -Server localhost
$weakPassword = Test-PasswordQuality | Select-Object -ExpandProperty WeakPassword
$accounts | Where-Object LogonName -in $weakPassword | Select-Object -Property SamAccountName,UserPrincipalName,DisplayName

MichaelGrafnetter avatar May 05 '21 19:05 MichaelGrafnetter