检查用户帐户是否设置了密码
检查用户帐户是否设置了密码
提问于 2018-09-12 14:08:27
在独立(非域连接的) Windows中,是否可以使用PowerShell检查给定的本地用户帐户是否设置了密码/空白密码?
根据https://gallery.technet.microsoft.com/scriptcenter/How-to-check-if-a-local-870ab031和https://blogs.technet.microsoft.com/heyscriptingguy/2005/10/06/how-can-i-verify-that-none-of-my-local-user-accounts-have-a-blank-password/的说法,这在VBScript中是可能的,但这只是因为ChangePassword要求您提供原始密码,而PowerShell命令似乎并非如此。
我在某个地方读到,您可以以用户身份运行一个进程来验证密码,并记下结果,但是显然,您不能使用空字符串作为凭据。
回答 2
Server Fault用户
回答已采纳
发布于 2018-09-12 15:56:53
我通过以下PowerShell命令/脚本实现了这一点:
Write-Output "It's only possible to detect whether user accounts have blank passwords if the minimum password length is 0.";
$PasswordMinimumLength = 0;
Write-Output "Implementing new minimum password length of $PasswordMinimumLength...";
$Secedit_CFGFile_Path = [System.IO.Path]::GetTempFileName();
$Secedit_Path = "$env:SystemRoot\system32\secedit.exe";
$Secedit_Arguments_Export = "/export /cfg $Secedit_CFGFile_Path /quiet";
$Secedit_Arguments_Import = "/configure /db $env:SystemRoot\Security\local.sdb /cfg $Secedit_CFGFile_Path /areas SecurityPolicy";
Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Export -Wait;
$SecurityPolicy_Old = Get-Content $Secedit_CFGFile_Path;
$SecurityPolicy_New = $SecurityPolicy_Old -Replace "MinimumPasswordLength = \d+", "MinimumPasswordLength = $PasswordMinimumLength";
Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_New;
Try {
Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
Write-Output "...FAILED.";
Break;
}
If ($?){
Write-Output "...Success.";
}
Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";
Write-Output "Searching for user accounts with blank passwords...";
$BlankPasswordsFoundWording_PreUsername = "Found user account";
$BlankPasswordsFoundWording_PostUsername = "with a blank password.";
$NoBlankPasswordsFoundWording = "No user accounts with blank passwords found.";
$VBS_IdentifyBlankPasswords_Commands = @"
On Error Resume Next
Dim strComputerName
Dim strPassword
strComputerName = WScript.CreateObject("WScript.Network").ComputerName
strPassword = ""
Set LocalAccounts = GetObject("WinNT://" & strComputerName)
LocalAccounts.Filter = Array("user")
Dim Flag
Flag = 0
For Each objUser In LocalAccounts
objUser.ChangePassword strPassword, strPassword
If Err = 0 or Err = -2147023569 Then
Flag = 1
Wscript.Echo "$BlankPasswordsFoundWording_PreUsername """ & objUser.Name & """ $BlankPasswordsFoundWording_PostUsername"
End If
Err.Clear
Next
If Flag = 0 Then
WScript.Echo "$NoBlankPasswordsFoundWording"
End If
"@
# The above here-string terminator cannot be indented.;
# cscript won't accept / process a file with extension ".tmp" so ".vbs" needs to be appended.;
$VBS_IdentifyBlankPasswords_File_Path_TMP = [System.IO.Path]::GetTempFileName();
$VBS_IdentifyBlankPasswords_File_Directory = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).DirectoryName;
$VBS_IdentifyBlankPasswords_File_Name_TMP = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).Name;
$VBS_IdentifyBlankPasswords_File_Name_VBS = $VBS_IdentifyBlankPasswords_File_Name_TMP + ".vbs";
$VBS_IdentifyBlankPasswords_File_Path_VBS = "$VBS_IdentifyBlankPasswords_File_Directory\$VBS_IdentifyBlankPasswords_File_Name_VBS";
Set-Content -Path $VBS_IdentifyBlankPasswords_File_Path_VBS -Value $VBS_IdentifyBlankPasswords_Commands;
$VBS_IdentifyBlankPasswords_Output = & cscript /nologo $VBS_IdentifyBlankPasswords_File_Path_VBS;
# Write-Output $VBS_IdentifyBlankPasswords_Output;
$UsersWithBlankPasswords = $VBS_IdentifyBlankPasswords_Output | Select-String -Pattern "$BlankPasswordsFoundWording_PreUsername";
If ($UsersWithBlankPasswords -NE $Null){
ForEach ($UserWithBlankPassword in $UsersWithBlankPasswords){
$Username = [regex]::match($UserWithBlankPassword, '"([^"]+)"').Groups[1].Value;
Write-Output "...$BlankPasswordsFoundWording_PreUsername ""$Username"" $BlankPasswordsFoundWording_PostUsername";
}
} ElseIf ($UsersWithBlankPasswords -Eq $Null){
Write-Output "$NoBlankPasswordsFoundWording";
}
Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";
Write-Output "Implementing original minimum password length...";
Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_Old;
Try {
Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
Write-Output "...FAILED.";
Break;
}
If ($?){
Write-Output "...Success.";
}
Server Fault用户
发布于 2020-11-14 13:02:47
大量的搜索和尝试使我开发了以下内容:
$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('Machine')
Get-LocalUser | Where-Object Enabled -eq $true | ForEach-Object {
$myUsername = $_.Name
$myPasswordIsBlank = $PrincipalContext.ValidateCredentials($myUserName, $null)
If ($myPasswordIsBlank) {
# Do whatever you want here to output or alert the fact that you found a blank password.
}
}要在我的RMM中运行这一点,我必须在代码的开头添加以下内容以防止错误:
Add-Type -AssemblyName System.DirectoryServices.AccountManagement页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/930582
复制相关文章
相似问题
腾讯云开发者
