Test-IsAdUserPasswordCompromised fails on an account with no password

[mickpoz]

I've copied the powershell script from here: https://github.com/lithnet/ad-password-protection/wiki/Audit-existing-passwords
I'm running it directly on the DC with a domain admin account.
I get the following output (this runs through the user list with the same result for every one):

WARNING: User Administrator has a null UPN
WARNING: User Guest has a null UPN
WARNING: User krbtgt has a null UPN

Test-IsADUserPasswordCompromised : Object reference not set to an instance of an object.
At C:\users\xxxx\Desktop\password_audit.ps1:31 char:15

• ... $result = Test-IsADUserPasswordCompromised -UPN $user -server local ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Test-IsADUserPasswordCompromised], NullReferenceException
  • FullyQualifiedErrorId : System.NullReferenceException,Lithnet.ActiveDirectory.PasswordProtection.PowerShell.Test
    IsADUserPasswordCompromised

The get-pwned-users.csv is created but there is nothing in the file except for the column headers.

I'm able to run the Test-IsADPasswordCompromised module directly from the command line, so thats working.

Thanks.

[ryannewington]

@mickpoz sorry for the delay in getting back to you. Is this still a problem for you?

If so, when the error occurs, could you send me the result from the following command

$error[0].Exception.ToString()

Immediately after the error condition

[mickpoz]

Hi Ryan,
No problems, I've kind of dropped it but FYI this is what I get from running your command.
Note, the script runs for approx 1/3 of the users now and I get output in the csv file but the rest of the users display the same original error.

System.NullReferenceException: Object reference not set to an instance of an object.
at Lithnet.ActiveDirectory.PasswordProtection.Extensions.ToHexString(Byte[] hash, Int32 offset, Int32 count)
at Lithnet.ActiveDirectory.PasswordProtection.BinaryStoreInstance.IsHashInStore(Byte[] hash)
at Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUserPasswordCompromised.ProcessRecord() in D:\github
\lithnet\ad-password-protection\src\PasswordProtectionPS\TestIsADUserPasswordCompromised.cs:line 62
at System.Management.Automation.CommandProcessor.ProcessRecord()

[ryannewington]

@mickpoz thanks so much for getting back to me. I suspect it's choking on a user that has no password. I'll look into this further and confirm.

[ryannewington]

Fixed in https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7107

[mickpoz]

Hi Ryan,

The latest release fixed the error! However it isn't running for all users. It completes without error but the csv only has about a third of my users in there. Can confirm that they definitely do not have no passwords, my own account is in the list.

[ryannewington]

That sounds like an issue enumerating the users in the domain.

Are they all in the same domain?
Any differences between the accounts that are appearing and those that aren't (eg OU locations?)

[mickpoz]

Hi Ryan,
I can't figure it out!
All users in the same domain and same OU.
The ones that are working are a mix of older and newer accounts so I don't think account age is a factor.

[ryannewington]

Looking into this further, the script only logs details for users who have a compromised password. If the user's password is not compromised, they are not added to the list.

Could it be as simple as the gact that the 2/3 of users appearing in the list do not have passwords that are known to be compromised?