Reporting on the weak password results in DSInternals

214 views
Skip to first unread message

Kurt Buff, GSEC/GCIH/PCIP

unread,
Oct 5, 2020, 6:58:53 PM10/5/20
to ntpowe...@googlegroups.com
This gets me data that I have been manually massaging into Excel, which is a pain - I want to run the report once a month, and perhaps ad hoc on occasion.
Get-ADReplAccount -All -Server dc1 -NamingContext "dc=example,dc=org" | Test-PasswordQuality -WeakPasswordHashesFile c:\temp\pwned-passwords-ntlm-ordered-by-hash-v6.txt

What I want is one samAccountName per line, with the results columns ticked for each attribute that affects that account (except the group number of the shared passwords)

So, one entry might look like this:
ID PWDLastSet LM Hash Present Found in Dictionary Same Password KerbMissingAESKey DelegationToServiceAllowed PWDNeverExpires PWDNotRequired
User1 2018-09-06 09:22 Group06 x x

If you follow that out, you'll see that User1 had the password changed a long time ago, that its password is shared in group 6, that the account is allowed to be delegated to a service and that the password is set to never expire.

The password last set date comes from a separate query, so it's not hugely important to have that field immediately available.

So, I broke it out a little bit, into this:

$Repl = Get-ADReplAccount -All -Server gfcdc0 -NamingContext "dc=csww,dc=lan"

$pwdResults = $Repl | Test-PasswordQuality -WeakPasswordHashesFile c:\temp\pwned-passwords-ntlm-ordered-by-hash-v6.txt

I piped the output of $pwdResults to gm, and that looks straightforward, but each of the properties seems to consist of a header line and then the set of samAccountNames within that that attribute, and I can't figure out how to parse it out.
$pwdResults | gm
   TypeName: DSInternals.PowerShell.PasswordQualityTestResult
Name                       MemberType Definition
----                       ---------- ----------
Equals                     Method     bool Equals(System.Object obj)
GetHashCode                Method     int GetHashCode()
GetType                    Method     type GetType()
ToString                   Method     string ToString()
AESKeysMissing             Property   System.Collections.Generic.ISet[string] AESKeysMissing {get;set;}
ClearTextPassword          Property   System.Collections.Generic.ISet[string] ClearTextPassword {get;set;}
DefaultComputerPassword    Property   System.Collections.Generic.ISet[string] DefaultComputerPassword {get;set;}
DelegatableAdmins          Property   System.Collections.Generic.ISet[string] DelegatableAdmins {get;set;}
DESEncryptionOnly          Property   System.Collections.Generic.ISet[string] DESEncryptionOnly {get;set;}
DuplicatePasswordGroups    Property   System.Collections.Generic.IEnumerable[System.Collections.Generic.ISet[string]] DuplicatePasswordGroups {get;set;}
EmptyPassword              Property   System.Collections.Generic.ISet[string] EmptyPassword {get;set;}
LMHash                     Property   System.Collections.Generic.ISet[string] LMHash {get;set;}
PasswordNeverExpires       Property   System.Collections.Generic.ISet[string] PasswordNeverExpires {get;set;}
PasswordNotRequired        Property   System.Collections.Generic.ISet[string] PasswordNotRequired {get;set;}
PreAuthNotRequired         Property   System.Collections.Generic.ISet[string] PreAuthNotRequired {get;set;}
SmartCardUsersWithPassword Property   System.Collections.Generic.ISet[string] SmartCardUsersWithPassword {get;set;}
WeakPassword               Property   System.Collections.Generic.ISet[string] WeakPassword {get;set;}

Any pointers on this would be appreciated.

Kurt

Michael B. Smith

unread,
Oct 5, 2020, 7:27:25 PM10/5/20
to ntpowe...@googlegroups.com

ISet[String] is just an ordered collection of strings. So,

 

               $count = 0

               foreach( $user in $pwdResults.PasswordNeverExpires )

               {

                              $count++

                              if( $count -eq 1 )

                              {

                                             continue ##  throw away first line

                              }

                              $user

               }

 

But you probably don’t need that. If you already have your list of sAmAccountNames

 

               foreach( $a in $list )

               {

                              if( $pwdResults.PasswordNeverExpires.Contains( $a ) )

                              {

                                             ## check that box

                              }

                              else

                              {

                                             ## uncheck the box

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce5Z5HJmaymZdVJGuai891BWZkaDPg2f3kd66fWXU1JpQA%40mail.gmail.com.

Kurt Buff, GSEC/GCIH/PCIP

unread,
Oct 8, 2020, 1:22:12 PM10/8/20
to ntpowe...@googlegroups.com
Per our offlist conversation, sorry for the lack of response. I'm hoping to get to this shortly - things have gotten hectic.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/abc03f63ac0245d4a3b0114d9c1aea6b%40smithcons.com.
Reply all
Reply to author
Forward
0 new messages