How to find weak passwords in Active Directory and eliminate them with PowerShell

Sicherheit (Pexels, allgemeine Nutzung)Advertising – Weak or compromised passwords are a known gateway for attackers. If you are able to identify which users in Active Directory (AD) are threatened by this, then PowerShell can help to remedy it. However, PowerShell scripts cannot eliminate basic AD deficits, other tools are needed for this.


Passwords can be easily cracked if they are too short or not complex enough, contain the user's name, or are a slight variation to previous passwords such as appending digits or punctuation marks.

Another risk stems from the fact that many users, reuse the same password at work as they do for their private accounts on social media or public websites. If these are hacked and the passwords are distributed, then they can be used to attack AD accounts.

Low hurdle for passwords in AD

Active Directory password policies are hardly capable of preventing weak passwords. The complexity rules are predefined and cannot be adjusted; only the length and validity period are configurable and there is no out-of-the-box way to identify whether passwords have been compromised.

For this reason, users repeatedly assign weak passwords despite an active password policy. Therefore, in the interest of AD security, it is advisable to regularly check the directory for weak passwords.

Finding weak passwords in Active Directory

For this task we recommend the free Specops Password Auditor, which you can download here. The tool checks password hashes according to various criteria, such as whether multiple users are using the same password, whether they have expired, or whether accounts don't need a password at all.


In addition, the program compares all password hashes with an extensive and always up-to-date list of stolen passwords. For each of these criteria, Password Auditor generates a separate report, which can be exported in PDF or CSV format. Specops Password Auditor-Reports
Specops Password Auditor generates several reports that help protect user accounts.

This can be used to take action against the detected vulnerabilities, of course, it is not enough to merely know the accounts with weak or compromised passwords!

Force password change with PowerShell

The following PowerShell fragment would read the report on all accounts with compromised passwords and force each affected user to change their password the next time they log in. To let the users know the reason for this action, the script will send them a short mail with an explanation.

Import-Csv -Path .\breached-PW-users.csv |
$name = $_.account
Get-ADUser -Filter 'name -like $name -and PasswordNeverExpires -eq $FALSE' |
Set-AdUser -ChangePasswordAtLogon:$true

Send-MailMessage -to $_."Email address" -from "Admin" `
-Subject "Insecure password"  -SmtpServer "" ` -body "Please enter a secure password after your next login!" }

By the way, the filter expression of Get-ADUser ensures that accounts are skipped whose password never expires. For these, the ChangePasswordAtLogon would lead to an error message.

The accounts whose password never expires are listed by Specops Password Auditor in a separate report. Using PowerShell, one could override this status of the accounts as follows:

Import-Csv -Path .\PW-never-expires-users.csv |
$name = $_.account

Get-ADUser -Filter 'name -like $name' |
Set-ADUser -PasswordNeverExpires $False

Limitations of this solution

It is obvious that such a home-made solution has some shortcomings. For example, due to the limited AD password policy, users can assign weak passwords again the next time they log on. Usually, the users do not even know which criteria the passwords have to obey at all.

Of course, compromised passwords get into the system again, because they are not checked when the password is changed and are not rejected accordingly. All in all, one would have to run the auditor and the above PowerShell scripts several times a month to eliminate unsuitable passwords.

Eliminate bad passwords from the start

Specops Password Policy, a solution developed by Specops Software, closes these loopholes. With it, practically any rules can be specified as to what a new password should look like. Among other things, admins can use it to enforce the use of passphrases instead of passwords.

Specops Password Policy makes it easy to meet the regulatory requirements of authorities such as the NCSC, Cyber Essentials, PCI DSS, SANS or NIST.

Users can see as they type whether passwords meet the desired criteria and receive precise information about which characters are still required or when the necessary length has been reached.

Specops Password Policy
Specops Password Policy shows the user which specifications it must meet when the password is changed.

In addition, Specops Password Policy immediately checks the new passwords against a regularly updated list of more than 2 billion compromised passwords, thus ensuring that they do not enter Active Directory in the first place.

For more information and a free demo of Password Policy, visit this page. Are you interested in our prices? Then you can send a request directly here.

This is a paid contribution from Specops Software.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *