사용자 계정에 비밀번호가 설정되어 있는지 확인하세요.

tag-icon tag-icon windows powershell windows-command-prompt
사용자 계정에 비밀번호가 설정되어 있는지 확인하세요.

독립 실행형(도메인에 가입되지 않은) Windows에서 PowerShell을 사용하여 특정 로컬 사용자 계정에 비밀번호가 설정되어 있거나 빈 비밀번호가 있는지 확인할 수 있습니까?

에 따르면https://gallery.technet.microsoft.com/scriptcenter/How-to-check-if-a-local-870ab031그리고https://blogs.technet.microsoft.com/heyscriptingguy/2005/10/06/how-can-i-verify-that-none-of-my-local-user-accounts-have-a-blank-password/, 이는 VBScript를 사용하여 가능하지만 ChangePasswordPowerShell 명령은 그렇지 않은 반면 원래 비밀번호를 제공해야 하기 때문입니다.

자격 증명을 사용하여 사용자로 프로세스를 실행하여 비밀번호를 확인할 수 있고 결과를 기록할 수 있다는 내용을 읽었지만 분명히 빈 문자열을 자격 증명으로 사용할 수는 없습니다.

답변1

많은 검색과 시행착오를 거쳐 이것을 개발하게 되었습니다.

$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('Machine')

Get-LocalUser | Where-Object Enabled -eq $true | ForEach-Object {
    $myUsername = $_.Name
    $myPasswordIsBlank = $PrincipalContext.ValidateCredentials($myUserName, $null)
    If ($myPasswordIsBlank) {
        # Do whatever you want here to output or alert the fact that you found a blank password.
    }
}

RMM을 통해 이를 실행하려면 오류를 방지하기 위해 코드 시작 부분에 다음을 추가해야 했습니다.

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

답변2

다음 PowerShell 명령/스크립트를 사용하여 이를 달성했습니다.

Write-Output "It's only possible to detect whether user accounts have blank passwords if the minimum password length is 0.";

$PasswordMinimumLength = 0;
Write-Output "Implementing new minimum password length of $PasswordMinimumLength...";

$Secedit_CFGFile_Path = [System.IO.Path]::GetTempFileName();
$Secedit_Path = "$env:SystemRoot\system32\secedit.exe";
$Secedit_Arguments_Export = "/export /cfg $Secedit_CFGFile_Path /quiet";
$Secedit_Arguments_Import = "/configure /db $env:SystemRoot\Security\local.sdb /cfg $Secedit_CFGFile_Path /areas SecurityPolicy";

Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Export -Wait;

$SecurityPolicy_Old = Get-Content $Secedit_CFGFile_Path;

$SecurityPolicy_New = $SecurityPolicy_Old -Replace "MinimumPasswordLength = \d+", "MinimumPasswordLength = $PasswordMinimumLength";

Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_New;

Try {
    Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
    Write-Output "...FAILED.";
    Break;
}
If ($?){
    Write-Output "...Success.";
}
Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";

Write-Output "Searching for user accounts with blank passwords...";

$BlankPasswordsFoundWording_PreUsername = "Found user account";
$BlankPasswordsFoundWording_PostUsername = "with a blank password.";
$NoBlankPasswordsFoundWording = "No user accounts with blank passwords found.";

$VBS_IdentifyBlankPasswords_Commands = @"
On Error Resume Next

Dim strComputerName
Dim strPassword

strComputerName = WScript.CreateObject("WScript.Network").ComputerName
strPassword = ""

Set LocalAccounts = GetObject("WinNT://" & strComputerName)
LocalAccounts.Filter = Array("user")

Dim Flag
Flag = 0 

For Each objUser In LocalAccounts
    objUser.ChangePassword strPassword, strPassword
    If Err = 0 or Err = -2147023569 Then
        Flag = 1
        Wscript.Echo "$BlankPasswordsFoundWording_PreUsername """ & objUser.Name & """ $BlankPasswordsFoundWording_PostUsername"
    End If
    Err.Clear
Next

If Flag = 0 Then
    WScript.Echo "$NoBlankPasswordsFoundWording"
End If
"@
# The above here-string terminator cannot be indented.;

# cscript won't accept / process a file with extension ".tmp" so ".vbs" needs to be appended.;
$VBS_IdentifyBlankPasswords_File_Path_TMP = [System.IO.Path]::GetTempFileName();
$VBS_IdentifyBlankPasswords_File_Directory = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).DirectoryName;
$VBS_IdentifyBlankPasswords_File_Name_TMP = (Get-ChildItem $VBS_IdentifyBlankPasswords_File_Path_TMP).Name;
$VBS_IdentifyBlankPasswords_File_Name_VBS = $VBS_IdentifyBlankPasswords_File_Name_TMP + ".vbs";
$VBS_IdentifyBlankPasswords_File_Path_VBS = "$VBS_IdentifyBlankPasswords_File_Directory\$VBS_IdentifyBlankPasswords_File_Name_VBS";

Set-Content -Path $VBS_IdentifyBlankPasswords_File_Path_VBS -Value $VBS_IdentifyBlankPasswords_Commands;

$VBS_IdentifyBlankPasswords_Output = & cscript /nologo $VBS_IdentifyBlankPasswords_File_Path_VBS;
# Write-Output $VBS_IdentifyBlankPasswords_Output;

$UsersWithBlankPasswords = $VBS_IdentifyBlankPasswords_Output | Select-String -Pattern "$BlankPasswordsFoundWording_PreUsername";

If ($UsersWithBlankPasswords -NE $Null){
    ForEach ($UserWithBlankPassword in $UsersWithBlankPasswords){
        $Username = [regex]::match($UserWithBlankPassword, '"([^"]+)"').Groups[1].Value;

        Write-Output "...$BlankPasswordsFoundWording_PreUsername ""$Username"" $BlankPasswordsFoundWording_PostUsername";
    }
} ElseIf ($UsersWithBlankPasswords -Eq $Null){
    Write-Output "$NoBlankPasswordsFoundWording";
}

Write-Output "";
Write-Output "----------------------------------------------------------------";
Write-Output "";

Write-Output "Implementing original minimum password length...";

Set-Content -Path $Secedit_CFGFile_Path -Value $SecurityPolicy_Old;

Try {
    Start-Process -FilePath $Secedit_Path -ArgumentList $Secedit_Arguments_Import -Wait;
} Catch {
    Write-Output "...FAILED.";
    Break;
}
If ($?){
    Write-Output "...Success.";
}

여기에 이미지 설명을 입력하세요

관련 정보