Get‐PasswordFilterResult

ryannewington edited this page Jan 27, 2019 · 6 revisions

Description

The Get-PasswordFilterResult cmdlet allows you to programatically test passwords against your password policy.

This cmdlet does not attempt to change the user's password, nor does it contact the domain controller. Use of this cmdlet requires that the group policy for the password filter is configured and applied to the computer you are running the cmdlet on. The password filter does not need to be configured to filter passwords on the local computer, but the policy needs to be in place.

Syntax

Get-PasswordFilterResult -Password <string> -Username <string> -Fullname <string> -IsSetOperation <bool>

Get-PasswordFilterResult -SecurePassword <SecureString> -Username <string> -Fullname <string> -IsSetOperation <bool>

Parameters

Password

Required. The password to test

SecurePassword

Required. The password to test as a SecureString

Username

Required. The username of the user who would be changing their password

Fullname

Required. The full name of the user who would be changing their password

IsSetOperation

Optional. A boolean value indicating whether this should simulate a password set operation. The default value is false if not specified, which indicates that a password change operation should be simulated.

Return value

The cmdlet will return one of the following values

String value Numeric value Description
Approved 0 The password was approved by the filter
LengthRequirementsNotMet 1 The password did not meet the minimum length requirements
ComplexityThresholdNotMet 2 The password did not meet the complexity requirements for a password of the given length
ComplexityPointsNotMet 3 The password did not meet the minimum number of complexity points
DidNotMatchApprovalRegex 4 The password did not match the regular expression required for approval
MatchedRejectRegex 5 The password did matched the rejection regular expression
ContainsAccountName 6 The password contained the user's account name
ContainsFullName 7 The password contained all or part of the user's full name
Compromised 8 The password was found in the compromised password store
CompromisedNormalizedPassword 9 The password was found in the compromised password store after the normalization rules were applied
BannedNormalizedWord 10 The password was found in the banned word store after the normalization rules were applied
PasswordWasBlank 11 The password was an empty string
FilterError 100 An exception occurred in the filter engine and the password could not be processed

Examples

PS> Get-PasswordFilterResult -Password "password" -Username "test-user" -Fullname "John Test"
Banned

PS> Get-PasswordFilterResult -Password "John" -Username "test-user" -Fullname "John Test"
ContainsFullName

The following example prompts for a password to test

Get-PasswordFilterResult -SecurePassword (Read-Host -Prompt "Enter the password" -AsSecureString) -Username (Read-Host -Prompt "Enter the user's username") -Fullname (Read-Host -Prompt "Enter the user's full name")
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.