Introduction

Password reuse among privileged accounts represents one of the most critical security vulnerabilities in on-premises Active Directory environments.

When multiple privileged accounts share the same password, a single compromise can cascade across your entire infrastructure.

In this post, I’ll demonstrate how to audit your Active Directory environment for shared passwords using PowerShell and the DSInternals module.

The Security Risk

Consider this scenario: Your organization has multiple domain admin accounts, service accounts, and privileged user accounts. If several of these accounts share the same password (even a strong one), an attacker who compromises one account effectively compromises them all. This violates the principle of defense in depth and can lead to:

• Lateral movement: Attackers pivoting across multiple accounts
• Persistent access: Multiple entry points even after one compromise is detected
• Compliance violations: Many frameworks require unique passwords for privileged accounts

Prerequisites

Before we begin, you’ll need:

• DSInternals PowerShell Module
  • Install-Module DSInternals
• Offline Copies of Active Directory Database Files
  • ntds.dit – The Active Directory database
  • SYSTEM registry hive – Contains the boot key for decryption
• Elevated PowerShell Session
  • Run as Administrator on a secure workstation

Extracting Active Directory Database Files

To perform offline analysis (recommended for production environments), you’ll need to extract the Active Directory database from a domain controller using ntdsutil:

# On the Domain Controller, run in elevated command prompt
ntdsutil
activate instance ntds
ifm
create full C:\Temp\ntds
quit
quit

This creates a full copy of the Active Directory database and registry hives without interrupting domain services. The IFM (Install From Media) option creates a consistent snapshot that’s safe for offline analysis.

Important Security Considerations

• Secure the extracted files: These contain password hashes for your entire domain
• Transport securely: Use encrypted channels when moving files
• Delete after use: Securely wipe the files when analysis is complete
• Audit access: Log who accessed these files and when

The Audit Script

I’ve developed a PowerShell script that automates the process of auditing password reuse in Active Directory. The script leverages the DSInternals module to extract and analyze NTLM hashes from an offline Active Directory database.

📥 Download the complete script from GitHub:

PowerShell/Get-ADPasswordReuseReport.ps1 at master · imabdk/PowerShell

Key Features

• Two Operation Modes:
  • Targeted Mode: Query specific accounts or patterns (faster, recommended for routine checks)
  • All Mode: Comprehensive scan of entire database
• Wildcard Support: Use patterns like *admin*, *svc* to match multiple accounts
• Detailed Reporting:
  • Groups accounts by shared password hash
  • Shows enabled/disabled status
  • Provides summary statistics
• Flexible Configuration: Customize target accounts via parameters

Quick Start

# Install the required module
Install-Module DSInternals

# Run with default settings (targeted mode)
.\Get-ADPasswordReuseReport.ps1

# Run comprehensive scan (all mode)
.\Get-ADPasswordReuseReport.ps1 -Mode All

# Target specific account patterns
.\Get-ADPasswordReuseReport.ps1 -Mode Targeted -TargetAccounts @('Administrator', '*svc*', 'krbtgt')

How the Script Works

1. Boot Key Extraction

The script first extracts the boot key from the SYSTEM registry hive. This key is required to decrypt the password hashes stored in ntds.dit.

$BootKey = Get-BootKey -SystemHivePath $SystemHivePath

2. Account Retrieval

The script operates in two modes:

Targeted Mode (Default)

• Queries specific accounts or patterns
• Supports wildcards (e.g., *admin*, *svc*)
• Faster and more efficient for routine audits
• When wildcards are detected, retrieves all accounts then filters

All Mode

• Scans the entire database
• Comprehensive but slower
• Useful for initial security assessments

3. Hash Analysis

The script:

1. Extracts NTLM hashes from each account
2. Converts binary hashes to hexadecimal format
3. Groups accounts by identical hash values
4. Filters to show only shared passwords (2+ accounts)

4. Reporting

Results are organized by shared password groups:

2 users sharing hash: 32ed87bdb5fdc5e9cba88547376818d4
  - ServiceAccount1 [ENABLED]
  - ServiceAccount2 [ENABLED]

3 users sharing hash: 8846f7eaee8fb117ad06bdd830b7586c
  - AdminUser1 [ENABLED]
  - AdminUser2 [ENABLED]
  - AdminUser3 [DISABLED]

Usage Examples

Example 1: Audit Administrative Accounts

.\Get-Hashes.ps1 -Mode Targeted -TargetAccounts @('Administrator', 'krbtgt', '*admin*', '*-da', '*svc*')

This targets:

• Built-in Administrator account
• Kerberos TGT account
• All accounts containing “admin”
• All accounts ending with “-da” (domain admin naming convention)
• All service accounts

Example 2: Comprehensive Domain Audit

.\Get-ADPasswordReuseReport.ps1 -Mode All

Scans all accounts in the database. Recommended for:

• Initial security assessments
• Post-breach investigations
• Compliance audits

Example 3: Service Account Audit

.\Get-ADPasswordReuseReport.ps1 -Mode Targeted -TargetAccounts @('*svc*', '*service*', 'sql*')

Focuses on service accounts, which commonly suffer from password reuse.

When you discover shared passwords:

1. Prioritize by Risk
   • Enabled > Disabled
   • Domain/Enterprise Admins > Regular users
   • Service accounts with SPNs > Regular service accounts
2. Change Passwords Immediately
   • Reset passwords for all affected accounts
   • For service accounts, update both the password and any service configurations that use it

Best Practices

Operational Security

• Run offline: Don’t run this against live domain controllers
• Secure the output: Treat the results file as highly sensitive
• Access control: Limit who can run these audits
• Audit logging: Log all audit activities

Organizational Practices

• Unique passwords: Every privileged account should have a unique password
• Password managers: Consider enterprise password management solutions
• Service accounts: Use Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) where possible

Limitations and Considerations

What This Script Doesn’t Detect

• Weak passwords: Only identifies reuse, not strength
• Breached passwords: Doesn’t check against known breach databases
• Password patterns: Identical but not similar passwords
• Historical passwords: Only current password hashes

Performance Considerations

• Large environments: 100,000+ accounts may take several minutes in All Mode
• Memory usage: Large databases require adequate RAM
• Disk I/O: Reading ntds.dit is I/O intensive

Legal and Ethical Considerations

• Authorization: Only run with proper authorization
• Data protection: Password hashes are sensitive data
• Retention: Don’t keep audit files longer than necessary
• Scope: Stay within authorized assessment boundaries

Conclusion

Password reuse among privileged accounts represents a critical vulnerability that’s often overlooked in Active Directory environments. This PowerShell script provides a practical, efficient method for identifying shared passwords using offline database analysis.

Regular auditing for password reuse should be part of your security operations:

• Quarterly audits for most organizations
• Monthly audits for high-security environments
• After security incidents or personnel changes
• Before compliance audits

Remember: The goal isn’t just to identify problems but to drive continuous improvement in your organization’s password hygiene. Use these findings to educate stakeholders, improve policies, and implement technical controls like Managed Service Accounts.

Additional Resources

• DSInternals Module: GitHub Repository
• Active Directory Security: Microsoft Active Directory Security Best Practices

Disclaimer: This tool is intended for authorized security auditing only. Always obtain proper authorization before analyzing Active Directory databases. Misuse of password hash data may violate organizational policies and legal regulations.