How to review password quality in Active Directory

Regular reviews of the effectiveness of user, admin, and service passwords stored in Active Directory is a good idea. Here's how one password review tool works.

More applications and devices are using password repositories to check on password reuse. When you log into your iPhone for example, it now alerts you that passwords you saved in your iCloud keychain may have been reused in other places. In January, Microsoft released a new tool in its Edge browser that checks on the status of reused passwords. It will flag and alert you when a password stored in the browser has been exposed in an online breach.

Often in a network environment, you’d like to inform your users of ways they can improve their security. Using a tool to review the quality of passwords in your domain is wise. Specops, for example, has a free Password Auditor tool to review the status of passwords in your Active Directory (AD) environment.

The tool will not make changes to AD but merely read the values of pwdLastSet, userAccountControl and lastLogonTimestamp. It will read all password policies and details about user accounts and their password hashes. You must run Password Auditor as a domain admin to be able to read password hashes and fine-grained password policies. The tool provides reports to show which user accounts have leaked passwords and how password settings in your organization compare with industry standards and best practices. The server or workstation it’s installed on must have .NET 4.7 or higher installed.  

Once you start the tool you have the option to download a copy of the breached password database. Install this tool in a location where you have multiple gigabytes of storage because the file is quite large.

Susan Bradley