Scanning Active Directory for weak passwords

Active Directory
Active Directory security
Network security
Network Security Management
Network Security Policies
Password policies
Password strength
Is it possible to scan our active directory and see if people have weak passwords? We have upped the password policy but what about for users that already have passwords and are not scheduled to changed them yet?

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can’t view the users passwords in AD as they are encrypted, typically with a one way encryption. Your best bet would probably be to simply change all the accounts to be required to change their passwords on next login.


There is small tool LC5, which helps to overcome your problems. It is compatible with Windows NT/2000/XP/2003. Though you didn’t mention here which flavor you are using!

Alternatively, you can create an admin-level account (or if exists) in windows domain.
Now download PWDUMP3 (from SearchEnterpriseDesktop)
and run this, and try to connect to a domain controller and extracted the password hashes.
Again, download a small tool called CAIN from here.
and run to extracted hashes (which is made text file) by this CAIN SW. Now it extracts all passwords or reveal weak passwords. (Remember, this method is bit tricky and take care)

Another, there is a very good guide about almost the same problem, which Mr. Labnuke, already discussed and answered. Please visit here for this guide…..


Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Spadasoe
    Use powershell to query users password info and force resets. I use Quest PowerGui and can get password settings for all users, select users by password age, and force a reset.
    5,130 pointsBadges:
  • Stevesz
    You can set this through group policy to a certain extent. Take a look at the options offered to you and determine if it will meet your needs.One nifty little trick would be to give the passwords a certain length of time before they expire and need to be reset. I believe the default is 42 days. If you can wait this long, leave it be, and, eventually, all the passwords will be in compliance (about 6 weeks). Once this has occurred, you can extend the period between password changes or be ready for a lot of grumbling around the 6 week period, though everyone will slowly fall out of sync with each other. The reason for this is that people will get a period of time to change the password and start getting warnings about a week prior to the time needed before the change. Some people will do this right away, other will wait until they absolutely need to change the password, and still others will do it sometime in between. Another setting is the number of passwords to remember. The default is 24, so the user must use 24 different passwords before they can reuse password the first. This will prevent users from using My_Dogs_Name1, changing it to My_Dogs_Name!, then on the next change going back to My_Dogs_Name1.
    2,015 pointsBadges:
  • Darkstar911
    Get MBSA from microsoft. It will give you a report of accounts with weak passwords.
    790 pointsBadges:
  • Kevin Beaver
    Elcomsoft ( has some of the best tools for this type of analysis. Check them out.
    27,520 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: