Test Active Directory User Accounts for a Default Password with PowerShell

How do you control password resets in your environment? I’ve worked for numerous companies where their forgotten password reset process was all over the board. Hopefully you have a process in place that allows you to sleep at night. Even with the best policies and procedures in place, what happens when someone on your help desk staff resets a users password to some default password and forgets to set the account so the password has to be changed at next logon? Is the user still using that default password weeks later?

I decided to write a PowerShell script to test user accounts for just that exact scenario.

Test one or more Active Directory user accounts for a password of “Password1”:

Same test except using pipeline input of strings for the usernames:

Test all of the user accounts in a specific OU (Organizational Unit) in Active Directory:

Same as the previous example except only return the accounts where the password matched.

Be sure to test this and to get permission from someone in your chain of command before running it in a production environment. Be careful when using this function because it does count as a failed login for the user account if the password doesn’t match. It will show up on your audit login failures report if you’re performing any type of auditing for login failures. You could also end up locking out the user account if you run this enough times to meet the account lockout threshold set in your domain or in the fine grained password policies if they’re enabled in your environment.

The function shown in this blog article can be downloaded from my ActiveDirectory repository on GitHub.


Update: While at the  PowerShell + DevOps Global Summit this week, I was discussing this function with a group of attendees and I discovered that there’s a better way to accomplish this task. I’ll post a follow-up blog article next week.

µ

4 Comments

  1. mukeshshende

    Excellent post Mike!!!

    Reply
  2. Milosh

    Yes, validateCredentials method on instance of System.DirectoryServices.AccountManagement.PrincipalContext class… But slick script!

    Reply
  3. Jeroen M

    Thank you! I was searching for exactly something like this

    Reply
  4. Jeroen M

    Hi, the script is not working for me. If I run the script nothing happens. No error is given it just jumps to the next line no matter what Parameters I use.

    Reply

Leave a Reply

%d bloggers like this: