Create a gist now

Instantly share code, notes, and snippets.

Embed
MIM PowerShell Management Agent Password Script to check to see if users AD Passwords have been pwned
param
(
$Username,
$Password,
$Credentials,
$Action,
$OldPassword,
$NewPassword,
[switch] $UnlockAccount,
[switch] $ForceChangeAtLogOn,
[switch] $ValidatePassword
)
BEGIN
{
}
PROCESS
{
# Logging
$log = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\PwnedPWD\Debug\PwnedPWD.log"
"=============================================================" | out-file $log -Append
$DisplayName = $_["displayName"].Value
$Accountname = $_["sAMAccountName"].Value
"Account Name: $Accountname" | Out-File $log -Append
"Display Name: $DisplayName" | Out-File $log -Append
"Action: $Action" | Out-File $log -Append
"Old pwd: $OldPassword" | Out-File $log -Append
"New pwd: $NewPassword" | Out-File $log -Append
"Unlock: $UnlockAccount" | Out-File $log -Append
"Force change: $ForceChangeAtLogOn" | Out-File $log -Append
"Validate: $ValidatePassword" | Out-File $log -Append
$responseCode = $null
# HaveIBeenPwnded uses TLS 1.2. PowerShell by default is 1.0. Set TLS to 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Check password against the Pwned List
function PwnedPassword ($URI) {
try {
$Global:response = (Invoke-WebRequest -uri $URI -UseBasicParsing -TimeoutSec 20)
return $Global:response
}
catch [System.Net.WebException] {
# either we had a communnication failure, hit the rate limit or got a 404 indicating password isn't pwned
$Request = $_.Exception
$Global:responseCode = $Request.Response.StatusCode.'value__'
"Exception calling API: $Global:responseCode" | Out-File $log -Append
}
}
# SHA-1 has the password and build the API Check URI
$pwdsha1 = Get-Hash -Algorithm SHA1 -StringEncoding utf8 -InputObject $NewPassword
$pwnedCheckURL = "https://api.pwnedpasswords.com/range/$($pwdsha1.HashString.Substring(0,5))"
# Lookup
PwnedPassword($pwnedCheckURL)
# Pwnded or not?
if ($response.Content.Contains($pwdsha1.HashString.Substring(5))){
$pwned = $true
} else {
$pwned = $false
}
# Update the user in the MIM Service
if ($pwned -or !$pwned){
Import-Module lithnetrma
$pwd = $Password | ConvertTo-SecureString -asPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($Username,$pwd)
Set-ResourceManagementClient -BaseAddress http://mimserviceServer:5725 -Credentials $Credential
# Get the user from the MIM Service
$user = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $Accountname
if ($user){
$user.pwnedPassword = $pwned
Save-Resource $user
"Updated MIM Service for $Accountname who's password pwned status is $pwned" | Out-File $log -Append
}
}
}
END
{
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment