possible or impossible to check domain password length in Powershell

I know its pretty much impossible to find out users passwords in the domain as that would be a security violation which makes sense.

However is it possible to write some lines of PowerShell that would check all the passwords length? meaning being able to audit to make sure there is at least 15 charters in the password?

I have seen some third party plugins but didn’t know if it could be done easily using native PowerShell.

I highly doubt any tool exist that will give you that information, at least not consistantly.
Other than password cracking tools that will actually crack the passwords of course.
The whole point of passwords and encryption is to scramble the password and not give information that would help an attacker.

If you’re using old stuff like LM Hash then you may get some information, depending on the hash values.
LM Hash is really weak, so if you’re using that you have bigger problems than password lengths.
It’s pre NT4 SP4 stuff.

If you want to make sure that all users have 15 or more characters in their password, you could set the domain password policy to 15 characters and then you would force a password reset.
E.g. setting the password expiry to a suitable short time frame and then reset it to what it was set later on, once everyone has changed their password.
Depending on the size of the company this may need to be done in a more staggered fashion and comms going out etc.

The only other option would be to start cracking passwords and that is a whole other can of worms.
If going this route, start looking at courses for Ethical Hacking so that you know what you’re getting yourself into.
E.g. get permission in writing etc.

All you do is get the MINIMUM requirements from the domain policy. No way I know to get password length on an individual user bases

Ok great that is what I thought.

I also told them exactly what you said and that we should come at this from another angle and it made more since to change GPO and then have passwords expire and a short period where you could get everything merged over.

I found articles on how to “require users” to use at least 15 characters when they change their password once their current expired. I just was wanting to confirm Powershell was unable to audit that. I never say never on anything because the impossible is often possible, but you get my point in the normal realm of possibility this is not something that is realistic.

Thanks for assisting!