Audit Weak Local Passwords in Windows using PowerShell

Issue: Devices not joined to Active Directory may not have Group Policies or other settings applied to enforce password complexity. For example, they may be managed by Okta, Datto RMM, and other tools. In this case, auditing for weak or blank passwords on local accounts can be challenging.

Solution: WeakPassword.ps1 (below) + your custom passwordlist.txt in the same directory will produce output with the lousy password if there’s a match on the local host. It’s also configured to test for blank passwords, which would immediately drop the user at the desktop:

(Datto RMM with custom Post-Conditions)

Note: A custom rule I had in my NGAV Firewall blocking inbound TCP/445 broke the script by displaying this error:  Exception calling “Validate Credentials” with “2” arguement(s): The network path was not found. (Script location). I temporarily turned that off for long enough to let the script execute and promptly enabled the policy. 

I haven’t included a password list right now. I’d recommend starting with the classic ‘password’ ‘letmein’ ‘123456…’ and others versus loading an entire dictionary, though a large list doesn’t appear to slow the process down by much, so it’s extensible.

View the Script

Ad: FixFinder – Self-Help Automation platform that lowers your Tier-1 volume with a user empowering Desktop interface. FixFinder hooks into your existing MSP and IT tools to provide Unified Knowledge, Custom Wizards, Status Pages, Full Ticketing, and an Application library. Check it out!