Check whether user account has password set

windows windows-command-prompt powershell

I achieved this with the following PowerShell commands / script:

Write-Output "It's only possible to detect whether user accounts have blank passwords if the minimum password length is 0.";

$PasswordMinimumLength = 0;
Write-Output "Implementing new minimum password length of $PasswordMinimumLength...";

$Secedit_CFGFile_Path = [System.IO.Path]::GetTempFileName();
$Secedit_Path = "$env:SystemRoot\system32\secedit.exe";
$Secedit_Arguments_Export = "/export /cfg $Secedit_CFGFile_Path /quiet";
$Secedit_Arguments_Import = "/configure /db $env:SystemRoot\Security\local.sdb /cfg $Secedit_CFGFile_Path /areas SecurityPolicy";

Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Export -Wait;

$SecurityPolicy_Old = Get-Content $Secedit_CFGFile_Path;

$SecurityPolicy_New = $SecurityPolicy_Old -Replace "MinimumPasswordLength = \d+", "MinimumPasswordLength = $PasswordMinimumLength";

Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_New;

Try {
    Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
    Write-Output "...FAILED.";
    Break;
}
If ($?){
    Write-Output "...Success.";
}
Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";

Write-Output "Searching for user accounts with blank passwords...";

$BlankPasswordsFoundWording_PreUsername = "Found user account";
$BlankPasswordsFoundWording_PostUsername = "with a blank password.";
$NoBlankPasswordsFoundWording = "No user accounts with blank passwords found.";

$VBS_IdentifyBlankPasswords_Commands = @"
On Error Resume Next

Dim strComputerName
Dim strPassword

strComputerName = WScript.CreateObject("WScript.Network").ComputerName
strPassword = ""

Set LocalAccounts = GetObject("WinNT://" & strComputerName)
LocalAccounts.Filter = Array("user")

Dim Flag
Flag = 0 

For Each objUser In LocalAccounts
    objUser.ChangePassword strPassword, strPassword
    If Err = 0 or Err = -2147023569 Then
        Flag = 1
        Wscript.Echo "$BlankPasswordsFoundWording_PreUsername """ & objUser.Name & """ $BlankPasswordsFoundWording_PostUsername"
    End If
    Err.Clear
Next

If Flag = 0 Then
    WScript.Echo "$NoBlankPasswordsFoundWording"
End If
"@
# The above here-string terminator cannot be indented.;

# cscript won't accept / process a file with extension ".tmp" so ".vbs" needs to be appended.;
$VBS_IdentifyBlankPasswords_File_Path_TMP = [System.IO.Path]::GetTempFileName();
$VBS_IdentifyBlankPasswords_File_Directory = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).DirectoryName;
$VBS_IdentifyBlankPasswords_File_Name_TMP = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).Name;
$VBS_IdentifyBlankPasswords_File_Name_VBS = $VBS_IdentifyBlankPasswords_File_Name_TMP + ".vbs";
$VBS_IdentifyBlankPasswords_File_Path_VBS = "$VBS_IdentifyBlankPasswords_File_Directory\$VBS_IdentifyBlankPasswords_File_Name_VBS";

Set-Content -Path $VBS_IdentifyBlankPasswords_File_Path_VBS -Value $VBS_IdentifyBlankPasswords_Commands;

$VBS_IdentifyBlankPasswords_Output = & cscript /nologo $VBS_IdentifyBlankPasswords_File_Path_VBS;
# Write-Output $VBS_IdentifyBlankPasswords_Output;

$UsersWithBlankPasswords = $VBS_IdentifyBlankPasswords_Output | Select-String -Pattern "$BlankPasswordsFoundWording_PreUsername";

If ($UsersWithBlankPasswords -NE $Null){
    ForEach ($UserWithBlankPassword in $UsersWithBlankPasswords){
        $Username = [regex]::match($UserWithBlankPassword, '"([^"]+)"').Groups[1].Value;

        Write-Output "...$BlankPasswordsFoundWording_PreUsername ""$Username"" $BlankPasswordsFoundWording_PostUsername";
    }
} ElseIf ($UsersWithBlankPasswords -Eq $Null){
    Write-Output "$NoBlankPasswordsFoundWording";
}

Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";

Write-Output "Implementing original minimum password length...";

Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_Old;

Try {
    Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
    Write-Output "...FAILED.";
    Break;
}
If ($?){
    Write-Output "...Success.";
}

enter image description here


A lot of searching and trial & error led me to develop this:

$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('Machine')

Get-LocalUser | Where-Object Enabled -eq $true | ForEach-Object {
    $myUsername = $_.Name
    $myPasswordIsBlank = $PrincipalContext.ValidateCredentials($myUserName, $null)
    If ($myPasswordIsBlank) {
        # Do whatever you want here to output or alert the fact that you found a blank password.
    }
}

To run this through my RMM, I had to add the following to the start of the code to prevent an error:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

Related

On premise AD migration to AWS Managed Microsoft AD
Enabling only TLS1.2 on Ubuntu 16.04 w/ Apache 2.4
Deploying apps to a Google Cloud Engine VM instance
IPv4 Forwarding (NAT) only works after toggling IPv4 forwarding to off then on
How to use different network interfaces for different users?
How to run Ghost and PrestaShop on the same domain, when hosted on different providers?
Restart Django/uWSGI vassal in uWSGI emperor mode
Problem with symbolic links in FTP client
Can I set dmarc to tell receiver to fail if no DKIM signature provided in email?
How often do apps go on sale in the App Store?
Resetting Advertising ID on iPad does not work?
Toggling between chunk of input in iterm2 with "Alt + arrow left/right" writes "[D" instead jumping from chunk to chunk