I’m a big fan of Michael Grafnetter’s excellent DSInternals module for Powershell. I periodically use it to audit our AD instance, and pass the results along to our Security Admin for any followup that needs to happen. I usually use Have I Been Pwned’s password dump, but you can provide any file containing passwords. The scariest part is that it takes <5 minutes to compare your AD records against 613 million passwords… and most of that time is enumerating the AD accounts.
Here’s how to run it against your AD instance:
- Download the latest NTML (ordered by Hash) dump from Have I Been Pwned?
- Load Powershell.
- Install the module:
Install-Module DSInternals -Force
- Run the cmdlets:
$DictFile = "d:\pwned-passwords-ntlm-ordered-by-hash-v5.txt" $DC = "dc01" $Domain = "DC=company,DC=com" Get-ADReplAccount -All -Server $DC -NamingContext $Domain | Test-PasswordQuality -WeakPasswordHashesSortedFile $DictFile -IncludeDisabledAccounts
Older versions of the tool used to output the passwords that were found in the dictionary you provided (ie. the HIBP dump), but no longer.