Netwrix Enterprise Auditor (formerly StealthAUDIT) 11.6 has been released LEARN MORE

ProTip: Eliminating Weak Active Directory Passwords

Blog >ProTip: Eliminating Weak Active Directory Passwords

Here’s a quick way to identify accounts with bad passwords in your Active Directory (AD). If you’re running StealthAUDIT for Active Directory, this is a very effective yet low-effort way to eliminate compromised passwords from your domain.

Finding the bad passwords:

From your web browser, click through the report tree down to the Active Directory>Users section. The report you want is called ‘Weak Password Checks.’

Weak Password Checks Report

One of the checks in this report performs a hash comparison between your AD passwords and a dictionary of known compromised passwords identified by STEALTHbits’ threat research team. I also suggest editing the dictionary to include things like lab passwords, your company name, or anything else that should not be part of a production AD password.

Scroll down to the bottom of the report and click on ‘Weak passwords.’ Here you will see a list of every account that currently has a known compromised password.

Automating remediation:

In my small example, I only found one account with a bad password but your production domain will likely have too many to clean up manually. If you own the AD Action Module, you can head over to the action wizard and create a new action that forces all users with bad passwords to change their password next time they log in. Perhaps you’d rather just create an incident in ServiceNow or send emails to the offending users. Check out the ServiceNow Action module as well as the SendMail Action module.

Preventing bad passwords from being applied in the future:

Most importantly, you want to prevent AD users from setting bad passwords in the future. To do this, we’ll turn to the Enterprise Password Enforcer in StealthINTERCEPT. In the templates tree, browse to Microsoft>Password Enforcement.

Enterprise Password Enforcer

Next, drag this template into your Blocking policies, configure, and enable. This utilizes the StealthINTERCEPT agent to prevent passwords from being changed to anything in our dictionary of compromised passwords. Optionally, you can also send these alerts to your SIEM in real-time. That is done by checking “Send to SIEM” within the ‘actions’ tab.

Send to SIEM


Now you’ve successfully identified and fixed weak passwords as well as prevented these dangerous passwords from being used in the future. You can learn more about the StealthINTERCEPT Enterprise Password Enforcer here.


If you’re not already a STEALTHbits customer, click here to request a trial of StealthAUDIT’s Active Directory Assessment.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:


Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *




© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.