Powershell: Generating random password for Active Directory

Page content

UPDATE 2015-01-04: I’ve updated the script on Technet Gallery: https://gallery.technet.microsoft.com/Generate-a-random-and-5c879ed5

Drastically improved performance and randomization logic.

When provisioning new users to Active Directory we need to provide a new password and of course we want to generate a random password.

This is my thoughts and three methods for generating passwords, the first two quite simple and straightforward and the third method a little bit more complex and definitely the one I recommend.

Method 1

It’s quite easy to pipe a bunch of chars to Get-Random to get a somewhat random password like this:

pic1

Using the operator -join will join the array back to a string with an empty string between each element.

The problem with this approach is that we can not guarantee that the password will be accepted by AD as complex enough since it could return a password containing only lowercase letters a-z.

Method 2

Another way would be using the .NET class System.Web.Security.Membership by calling the method GeneratePassword like this:

This method takes two parameters, length and minimum number of non-alphanumeric characters. In the example above it will generate a password with 8 characters containing at least 2 non-alphanumeric characters. This is a bit closer to passing the AD requirements, at least now we can be sure to get chars from at least two types, alpha numeric and non-alphanumeric, but on rare occasions it will not fulfill the requirement of chars from at least three of five categories.

This method will work good enough as long as there is a manual check that the password generated fulfills the requirements of the organization but when automating password generation for example when doing automated provisioning it just isn’t enough so I wrote a PowerShell function to generate random and complex passwords described in Method 3.

Method 3

I wrote a function to generate a number of random passwords that will be complex enough for Active Directory.

The functions can be run in two ways, either using the parameter -PasswordLength to set a fixed password length or using the parameters -MinPasswordLength and -MaxPasswordLength to use a random length.

Both ways takes the parameters -Count and -InputStrings. -Count specifies how many passwords to generate and -InputStrings specifies a list of strings defining which chars to use for password generation. Each generated password will contain atleast one char from each string (as long as PasswordLength => number of strings).

I also use the class System.Security.Cryptography.RNGCryptoServiceProvider to randomize randomization making the password a little more secure.

The parameters have the following default values:

PasswordLength: 8

MinPasswordLength: 8

MaxPasswordLength: 12

Count: 1

InputStrings: @(‘abcdefghijkmnopqrstuvwxyz’, ‘ABCEFGHJKLMNPQRSTUVWXYZ’, ‘23456789’, ‘!”#%&')

Meaning that just running the command New-SWRandomPassword will generate a new password of a length of 8 characters containing both lowercase, uppercase, numeric and non-alphanumeric characters.

The script is available at the Technet Gallery.