Welcome! This repo contains a simple PowerShell script to report on all things reversible encryption.

If you didn't start there, see the companion article here for a write up of the problems this script aims to solve.

Running Check-AllUsersClearText.ps1 without adjustment will report on the Default Domain Password Policy(DDPP), Fine-Grained Password Policies(FGPP) and User Account Configuration. This script will definitively detect all users in a domain that are configured with a clear-text password (reversible encryption). Specific details for each user or configuration found, including details of how to remediate, are written to the screen.

Update 3 variables under certain conditions:

$defaultDomainPolicy -- if you renamed the policy used to configure the default password policy. By default, this is "Default Domain Policy".

$verboseMode -- Change this to $True to globally enable verbose mode. Change in MAIN below to run verbose individually. NOTE: Changing verboseMode globally will display clear-text password information. It is recommended to run with $False first.

$DChostname -- if you are not running directly on the DC, update this to the DC you will be targeting

Reporting on clear-text password data requires the use of DSInternals. Install-Module DSInternals -Force

This module may be detected as malware and will need to be excluded in order to complete successfully. I have no affiliation with DSInternals and take no responsibility for its use.

The script must be run as a Domain Administrator in an Administrative PowerShell session.

Sample output:

Non-Verbose Mode

Verbose Default Domain Policy

Verbose FGPP

Verbose User Account Data

Verbose Clear-Text Data