OU Exclusion request for Test-PasswordQuality #115
Comments
|
Well, anything is possible in PowerShell, you just need to script it. Depending on your exact needs, you could do something like this: $results = Get-ADReplAccount -All -Server DC01 | Test-PasswordQuality
$domainName = GetADDomain | Select-Object -ExpandProperty NetBIOSName
Get-ADUser -SearchBase 'OU=IgnoredOU,DC=example,DC=com' -Filter * | ForEach-Object {
$results.PasswordNeverExpires.Remove("$domainName\$($PSItem.SamAccountName)")
} |
|
Hi Micheal, still playing with the script above. Slowly getting there. Another enhancement request, if possible :) Is there any way to list the Display names or descriptions of users in the output? I am running the script to see if users are using the same password for there server logon account and notify them Problem is that I have to look up each logon name as we use the employee id number? Group 14: Would love to see something like Group 14: Is this possible? Thanks, Grant |
|
Hi @gw1966 , Test-PasswordQuality is currently only storing strings (SamAccountName), so I would need to rewrite some portions of it. But it is a good idea. In the meantime, you could try something like this: Install-Module -Name ConvertADName -Force
Get-ADReplAccount -All -Server localhost |
Test-PasswordQuality |
Select-Object -ExpandProperty WeakPassword |
ForEach-Object { Convert-ADName -InitType GC -OutputType Display -UserName $PSItem } |
|
Hi. I have tried this but don't seem to get any output? The convertADname module seemed to install fine
Using the normal command works fine. Not sure what I am doing wrong? Sorry, just learning powershell as we go along. |
|
Hi Michael. I have been on holiday and just got back, just wondering if you have had a play with the new feature yet? I also have another suggestion. and I don't think any other product does this. Is there a way to tell if a person has the same password from a previous date? If the hash table could be saved encrypted and then compared to the downloaded hash table and then check the account name and highlight which account has the same password from last time? Anyway, just an idea? If these new features were added, I would actually be happy to "buy" this product. Thanks, Grant |
|
Hi. I have another enhancement request, we noticed a few people had changed the password in our network as per our policy every 30 days, but if they had the rights, they could change it back to the same password each time. Is there a way to compare Hash data for users to see if it's the same one dumped say 6 months ago to ensure they now have a totally different password? I have looked on the internet and cant see if anyone is able to provide this script? Thanks again in advance. |
|
@gw1966 Did they perform a password change or reset operation? Only admins can do a reset and thus bypass password history.
|
|
Yes, Our Domain Admin users and delegated staff have rights to change their own password back again or just update their password before the expiry date to the same one, we also have some service account for applications that we just use normal user accounts with a password that never expires that we should change on a regular basis, but we cant check if they were all done or not? Thanks |
|
@gw1966 As a quick solution, you could compare historical hashes of an account using HashEqualityComparer. |
|
Hi. I was just wondering if you ever got around to having the option to export a SamAccountName with your products output. I have tried all the above without luck so far :) Grant |
|
Hello @gw1966, I have a feeling that we are mixing too many things into this one thread. $accounts = Get-ADReplAccount -All -Server localhost
$weakPassword = Test-PasswordQuality | Select-Object -ExpandProperty WeakPassword
$accounts | Where-Object LogonName -in $weakPassword | Select-Object -Property SamAccountName,UserPrincipalName,DisplayName |
Hi.
We have a couple of OU's where users passwords don't expire for a particular reason.
I would like to exclude the accounts in those OU's from the Test-PasswordQuality "Passwords of these accounts will never expire" output?
Is this possible?
Thanks in advance.
Grant.
The text was updated successfully, but these errors were encountered: