Instantly share code, notes, and snippets.

Embed
What would you like to do?
MIM PowerShell Management Agent Password Script to check to see if users AD Passwords have been pwned
param
(
$Username,
$Password,
$Credentials,
$Action,
$OldPassword,
$NewPassword,
[switch] $UnlockAccount,
[switch] $ForceChangeAtLogOn,
[switch] $ValidatePassword
)
BEGIN
{
}
PROCESS
{
# Logging
$log = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\PwnedPWD\Debug\PwnedPWD.log"
"=============================================================" | out-file $log -Append
$DisplayName = $_["displayName"].Value
$Accountname = $_["sAMAccountName"].Value
"Account Name: $Accountname" | Out-File $log -Append
"Display Name: $DisplayName" | Out-File $log -Append
"Action: $Action" | Out-File $log -Append
"Old pwd: $OldPassword" | Out-File $log -Append
"New pwd: $NewPassword" | Out-File $log -Append
"Unlock: $UnlockAccount" | Out-File $log -Append
"Force change: $ForceChangeAtLogOn" | Out-File $log -Append
"Validate: $ValidatePassword" | Out-File $log -Append
$responseCode = $null
# HaveIBeenPwnded uses TLS 1.2. PowerShell by default is 1.0. Set TLS to 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Check password against the Pwned List
function PwnedPassword ($URI) {
try {
$Global:response = (Invoke-WebRequest -uri $URI -UseBasicParsing -TimeoutSec 20)
return $Global:response
}
catch [System.Net.WebException] {
# either we had a communnication failure, hit the rate limit or got a 404 indicating password isn't pwned
$Request = $_.Exception
$Global:responseCode = $Request.Response.StatusCode.'value__'
"Exception calling API: $Global:responseCode" | Out-File $log -Append
}
}
# SHA-1 has the password and build the API Check URI
$pwdsha1 = Get-Hash -Algorithm SHA1 -StringEncoding utf8 -InputObject $NewPassword
$pwnedCheckURL = "https://api.pwnedpasswords.com/range/$($pwdsha1.HashString.Substring(0,5))"
# Lookup
PwnedPassword($pwnedCheckURL)
# Pwnded or not?
if ($response.Content.Contains($pwdsha1.HashString.Substring(5))){
$pwned = $true
} else {
$pwned = $false
}
# Update the user in the MIM Service
if ($pwned -or !$pwned){
Import-Module lithnetrma
$pwd = $Password | ConvertTo-SecureString -asPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($Username,$pwd)
Set-ResourceManagementClient -BaseAddress http://mimserviceServer:5725 -Credentials $Credential
# Get the user from the MIM Service
$user = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $Accountname
if ($user){
$user.pwnedPassword = $pwned
Save-Resource $user
"Updated MIM Service for $Accountname who's password pwned status is $pwned" | Out-File $log -Append
}
}
}
END
{
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment