Innova Solutions > Perspectives > One Simple Trick > Monitor Password Policy

Monitor Password Policy

Robert M. Toups, Jr.
Cloud Services

From what we learned in result of longer passwords in real world application, implementing a 12-character password as the default domain policy should be a baseline goal for any Domain Administrator for all user objects. Based on business and support requirements, that might not be an achievable goal without third party solutions to assist in the offloading the leasing of our employees’s memory for password storage and applications dependent on user objects. Introduced in Windows Server 2008, Microsoft provides Fine Grained Password Policies that allow us to target specific classes of employees such as Tier 0 & Tier 1 administrators, Finance, or VIPs with greater requirements. A combination of training and Fine Grained Password Policy can lead to your organization meeting that 12-character baseline over time.

At a basic level, an Active Directory administrator needs to understand the scope of user objects that lie outside the baseline standards. Here are some simple Active Directory queries using PowerShell to generate quick reports of user objects that are not meeting your Domain Password Policy based on password age and encryption state. They can be useful as a tool to track progress over time as your remediate user objects that fall outside the default domain policy. A rigorous reporting regiment over Active Directory can start with simple PowerShell scripts like these if not already in place. In order to run these code snippets, you need to have access to the Active Directory PowerShell Module and read rights to the Active Directory domain.

Accounts outside of the Domain Password Age Policy

This PowerShell code will retrieve the current Domain Password Policy for maximum password age and find all user objects that violate that policy or have not set their password yet. The result will be saved to a comma separated values (CSV) file named PasswordAgeOutsidePolicyAccounts.csv with the current timestamp as a prefix.

    # Export-ExceedsDomainPasswordAge.ps1 
  $TimeStamp = Get-Date -Format 'yyyyMMddHHmmss' 
  $MaxPasswordAgeInDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days 
  $MaxAgeDate = (Get-Date).AddDays(- $MaxPasswordAgeInDays) 
  $PropertyList = @('Enabled','PasswordLastSet','Name','GivenName','SurName','SamAccountName','UserPrincipalName','DistinguishedName','manager') 
  [System.Array]$ExportData = Get-ADUser -Filter { PasswordLastSet -lt $MaxAgeDate -or PasswordLastSet -notlike '*' } -Properties $PropertyList 
  $ExportData | 
   Select-Object -Property $PropertyList | 
   Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-PasswordAgeOutsidePolicyAccounts.csv") -NoTypeInformation 
  Write-Host "$($ExportData.Count.ToString('#,##0')) accounts are outside of the Domain Password Policy Age of $MaxPasswordAgeInDays days." -ForegroundColor 'Red'  

Accounts set to Password Never Expires

This PowerShell code will retrieve the all user objects where the password has been set to never expire. The result will be saved to a CSV file named PasswordNeverExpiresAccounts.csv with the current timestamp as a prefix.

    # Export-PasswordNeverExpires.ps1 
  $TimeStamp = Get-Date -Format 'yyyyMMddHHmmss' 
  $PropertyList = @('Enabled', 'PasswordLastSet', 'Name', 'GivenName', 'SurName', 'SamAccountName', 'UserPrincipalName','DistinguishedName', 'manager') 
  [System.Array]$ExportData = Get-ADUser -Filter { PasswordNeverExpires -eq $true } -Properties $PropertyList 
  $ExportData | 
   Select-Object -Property $PropertyList | 
   Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-PasswordNeverExpiresAccounts.csv") -NoTypeInformation 
  Write-Host "$($ExportData.Count.ToString('#,##0')) accounts are set to password never expires." -ForegroundColor 'Red' 

Accounts with Reversible Encryption

While not common in organizations, Innova Solutions architects do discover objects with weak password encryption. User objects with this flag turned on are no challenge for even the most basic password cracking tools. This PowerShell code will retrieve these user objects with reversible encryption. If any user objects are discovered with reversible encryption, the result will be saved to a CSV file named ReversibleEncryptionAccounts.csv with the current timestamp as a prefix.

    # Export-ReversibleEncryption.ps1 
  $TimeStamp = Get-Date -Format 'yyyyMMddHHmmss' 
  $PropertyList = @('Enabled', 'PasswordLastSet', 'Name', 'GivenName', 'SurName', 'SamAccountName', 'UserPrincipalName', 'DistinguishedName', 'manager') 
  [System.Array]$ExportData = Get-ADUser -Filter { userAccountControl -band 128 } -Properties $PropertyList 
  if($ExportData.Count -gt 0) { 
   $ExportData | 
   Select-Object -Property $PropertyList | 
   Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-ReversibleEncryptionAccounts.csv") -NoTypeInformation 
  } 
  Write-Host "$($ExportData.Count.ToString('#,##0')) accounts have reversible encryption enabled." -ForegroundColor 'Red' 

Back

You have a dream?

We have a way to get you there.

Let’s connect and see how we help companies just like yours.

	# Export-ExceedsDomainPasswordAge.ps1
	$TimeStamp = Get-Date -Format 'yyyyMMddHHmmss'
	$MaxPasswordAgeInDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
	$MaxAgeDate = (Get-Date).AddDays(- $MaxPasswordAgeInDays)
	$PropertyList = @('Enabled','PasswordLastSet','Name','GivenName','SurName','SamAccountName','UserPrincipalName','DistinguishedName','manager')
	[System.Array]$ExportData = Get-ADUser -Filter { PasswordLastSet -lt $MaxAgeDate -or PasswordLastSet -notlike '*' } -Properties $PropertyList
	$ExportData \|
	Select-Object -Property $PropertyList \|
	Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-PasswordAgeOutsidePolicyAccounts.csv") -NoTypeInformation
	Write-Host "$($ExportData.Count.ToString('#,##0')) accounts are outside of the Domain Password Policy Age of $MaxPasswordAgeInDays days." -ForegroundColor 'Red'

	# Export-PasswordNeverExpires.ps1
	$TimeStamp = Get-Date -Format 'yyyyMMddHHmmss'
	$PropertyList = @('Enabled', 'PasswordLastSet', 'Name', 'GivenName', 'SurName', 'SamAccountName', 'UserPrincipalName','DistinguishedName', 'manager')
	[System.Array]$ExportData = Get-ADUser -Filter { PasswordNeverExpires -eq $true } -Properties $PropertyList
	$ExportData \|
	Select-Object -Property $PropertyList \|
	Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-PasswordNeverExpiresAccounts.csv") -NoTypeInformation
	Write-Host "$($ExportData.Count.ToString('#,##0')) accounts are set to password never expires." -ForegroundColor 'Red'

	# Export-ReversibleEncryption.ps1
	$TimeStamp = Get-Date -Format 'yyyyMMddHHmmss'
	$PropertyList = @('Enabled', 'PasswordLastSet', 'Name', 'GivenName', 'SurName', 'SamAccountName', 'UserPrincipalName', 'DistinguishedName', 'manager')
	[System.Array]$ExportData = Get-ADUser -Filter { userAccountControl -band 128 } -Properties $PropertyList
	if($ExportData.Count -gt 0) {
	$ExportData \|
	Select-Object -Property $PropertyList \|
	Export-Csv -Path (Join-Path -Path '.' -ChildPath "$TimeStamp-ReversibleEncryptionAccounts.csv") -NoTypeInformation
	}
	Write-Host "$($ExportData.Count.ToString('#,##0')) accounts have reversible encryption enabled." -ForegroundColor 'Red'