Instantly share code, notes, and snippets.

Embed
What would you like to do?
FIM/MIM PowerShell Pwned Password Management Agent to check Have I Been Pwned Listed hosted on local SQL Server on Active Directory Users password change. Supporting blog post is located here https://blog.darrenjrobinson.com/updated-identifying-active-directory-users-with-pwned-passwords-using-microsoftforefront-identity-manager/
param
(
$Username,
$Password,
$Credentials,
$Action,
$OldPassword,
$NewPassword,
[switch] $UnlockAccount,
[switch] $ForceChangeAtLogOn,
[switch] $ValidatePassword
)
BEGIN
{
}
PROCESS
{
# Logging
$log = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\PwnedPWD\Debug\PwnedPWD.log"
"=============================================================" | out-file $log -Append
$DisplayName = $_["displayName"].Value
$Accountname = $_["sAMAccountName"].Value
"Account Name: $Accountname" | Out-File $log -Append
"Display Name: $DisplayName" | Out-File $log -Append
"Action: $Action" | Out-File $log -Append
"Old pwd: $OldPassword" | Out-File $log -Append
"New pwd: $NewPassword" | Out-File $log -Append
"Unlock: $UnlockAccount" | Out-File $log -Append
"Force change: $ForceChangeAtLogOn" | Out-File $log -Append
"Validate: $ValidatePassword" | Out-File $log -Append
$Connection = new-object System.Data.SqlClient.SqlConnection("Data Source=SQLSERVER;Integrated Security=SSPI;Initial Catalog=PwnedPasswords");
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$pwdsha1 = Get-Hash -Algorithm SHA1 -StringEncoding utf8 -InputObject $NewPassword
$NewPassword = $pwdsha1.HashString
$SqlQuery = @"
SELECT * FROM dbo.pwnedPasswords WHERE passwords = '$($NewPassword)'
"@
$Connection.open()
# Write-host "Connection to database successful." -foregroundcolor green -backgroundcolor black
$SqlCmd.CommandText = $SqlQuery
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$SqlCmd.Connection = $Connection
$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet)
$Connection.Close()
if ($DataSet.Tables[0].Columns.Count) {
# Password output
if ($DataSet.Tables[0].passwords){
write-host $DataSet.Tables[0].passwords
$pwned = $true
}
else {
$pwned = $false
}
write-host "Have I Been Pwned? $pwned"
}
# Update the MIM Portal
# Update the user in the MIM Service
if ($pwned -or !$pwned){
Import-Module lithnetrma
$pwd = $Password | ConvertTo-SecureString -asPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($Username,$pwd)
Set-ResourceManagementClient -BaseAddress http://MIMSERVICESRV:5725 -Credentials $Credential
# Get the user from the MIM Service
$user = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $Accountname
if ($user){
$user.pwnedPassword = $pwned
Save-Resource $user
"Updated MIM Service for $Accountname who's password pwned status is $pwned" | Out-File $log -Append
}
}
}
END
{
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment