0

我担心的是我无法将用户的密码存储在任何地方。用户输入密码后,我想验证它是否符合该机器上的密码策略设置。

  • 我遇到了 net 命令来检索相关信息,但 net 不适用于标准用户。

  • 标准用户无法在该机器上创建另一个用户帐户 - 因此,我无法从该帐户创建另一个具有相同密码的用户来检查密码合规性。

  • 还尝试使用相同的密码本身更改标准用户的密码,目的是如果它不合规,我将收到密码不合规错误。但它可能会弄乱密码历史记录。

有什么方法可以简单地通过powershell检查密码是否符合标准用户而不执行任何写入操作?

4

1 回答 1

0

也许这个实用功能可以帮助你:

function Test-PasswordForDomain {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, Position = 0)]
        [string]$Password,
        
        [Parameter(Mandatory = $false)]
        [string]$AccountSamAccountName = $null,
        
        [Parameter(Mandatory = $false)]
        [string]$AccountDisplayName = $null
    )
    # [Microsoft.ActiveDirectory.Management.ADEntity]
    $PasswordPolicy = Get-ADDefaultDomainPasswordPolicy -ErrorAction SilentlyContinue

    If ($Password.Length -lt $PasswordPolicy.MinPasswordLength) {
        Write-Verbose "Password '$Password' is too short. Minimal length is $($PasswordPolicy.MinPasswordLength)"
        return $false
    }
    if (($AccountSamAccountName) -and ($Password -match "$AccountSamAccountName")) {
        Write-Verbose "The password '$Password' includes the users SamAccountName"
        return $false
    }
    if ($AccountDisplayName) {
        # if ANY PART of the display name that is split by the characters below, the password should fail the complexity rules.
        $tokens = $AccountDisplayName.Split(",.-,_ #`t")
        foreach ($token in $tokens) {
            if (($token) -and ($Password -match "$token")) {
                Write-Verbose "The password '$Password' includes (part of) the users DisplayName"
                return $false
            }
        }
    }
    if ($PasswordPolicy.ComplexityEnabled -eq $true) {
        # check for presence of 
        # - Uppercase: A through Z, with diacritic marks, Greek and Cyrillic characters
        if ($Password -cnotmatch "[A-Z\p{Lu}\s]") {
            Write-Verbose "The password '$Password' is missing Uppercase characters"
            return $false
        }
        # - Lowercase: a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters
        if ($Password -cnotmatch "[a-z\p{Ll}\s]") {
            Write-Verbose "The password '$Password' is missing Lowercase characters"
            return $false
        }
        # - Base 10 digits (0 through 9)
        if ($Password -notmatch "[\d]") {
            Write-Verbose "The password '$Password' is missing digits (0-9)"
            return $false
        }
        # - Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
        if ($Password -notmatch "[^\w]") {
            Write-Verbose "The password '$Password' is missing Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;`"'<>,.?/"
            return $false
        }
    }

    return $true
}
于 2021-02-11T15:15:17.270 回答