Last active
January 18, 2019 22:50
-
-
Save darrenjrobinson/2f52c73a3cc4d5b0a27d4bc90d881f89 to your computer and use it in GitHub Desktop.
Microsoft Identity Manager PowerShell Management Agent Password Script to check to see if users AD Passwords have been pwned. Supporting blog post is located here https://blog.darrenjrobinson.com/identifying-active-directory-users-with-pwned-passwords-using-microsoft-forefront-identity-manager-v2-using-k-anonymity-and-have-i-been-pwned/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param | |
( | |
$Username, | |
$Password, | |
$Credentials, | |
$Action, | |
$OldPassword, | |
$NewPassword, | |
[switch] $UnlockAccount, | |
[switch] $ForceChangeAtLogOn, | |
[switch] $ValidatePassword | |
) | |
BEGIN | |
{ | |
} | |
PROCESS | |
{ | |
# Logging | |
$log = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\PwnedPWD\Debug\PwnedPWD.log" | |
"=============================================================" | out-file $log -Append | |
$DisplayName = $_["displayName"].Value | |
$Accountname = $_["sAMAccountName"].Value | |
"Account Name: $Accountname" | Out-File $log -Append | |
"Display Name: $DisplayName" | Out-File $log -Append | |
"Action: $Action" | Out-File $log -Append | |
"Old pwd: $OldPassword" | Out-File $log -Append | |
"New pwd: $NewPassword" | Out-File $log -Append | |
"Unlock: $UnlockAccount" | Out-File $log -Append | |
"Force change: $ForceChangeAtLogOn" | Out-File $log -Append | |
"Validate: $ValidatePassword" | Out-File $log -Append | |
$responseCode = $null | |
# HaveIBeenPwnded uses TLS 1.2. PowerShell by default is 1.0. Set TLS to 1.2 | |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
# Check password against the Pwned List | |
function PwnedPassword ($URI) { | |
try { | |
$Global:response = (Invoke-WebRequest -uri $URI -UseBasicParsing -TimeoutSec 20) | |
return $Global:response | |
} | |
catch [System.Net.WebException] { | |
# either we had a communnication failure, hit the rate limit or got a 404 indicating password isn't pwned | |
$Request = $_.Exception | |
$Global:responseCode = $Request.Response.StatusCode.'value__' | |
"Exception calling API: $Global:responseCode" | Out-File $log -Append | |
} | |
} | |
# SHA-1 has the password and build the API Check URI | |
$pwdsha1 = Get-Hash -Algorithm SHA1 -StringEncoding utf8 -InputObject $NewPassword | |
$pwnedCheckURL = "https://api.pwnedpasswords.com/range/$($pwdsha1.HashString.Substring(0,5))" | |
# Lookup | |
PwnedPassword($pwnedCheckURL) | |
# Pwnded or not? | |
if ($response.Content.Contains($pwdsha1.HashString.Substring(5))){ | |
$pwned = $true | |
} else { | |
$pwned = $false | |
} | |
# Update the user in the MIM Service | |
if ($pwned -or !$pwned){ | |
Import-Module lithnetrma | |
$pwd = $Password | ConvertTo-SecureString -asPlainText -Force | |
$Credential = New-Object System.Management.Automation.PSCredential($Username,$pwd) | |
Set-ResourceManagementClient -BaseAddress http://mimserviceServer:5725 -Credentials $Credential | |
# Get the user from the MIM Service | |
$user = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $Accountname | |
if ($user){ | |
$user.pwnedPassword = $pwned | |
Save-Resource $user | |
"Updated MIM Service for $Accountname who's password pwned status is $pwned" | Out-File $log -Append | |
} | |
} | |
} | |
END | |
{ | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment