Active Directory Password Audit
Your password policy enforces complexity. Our audit tests whether complexity actually worked. We extract your NTDS.dit, run your NTLM hashes through GPU-powered cracking at billions of guesses per second, and give you a statistical report: percentage cracked, breach database matches, privileged account exposure. Offline. No lockouts. No guesswork.
Why your Active Directory password policy is not enough.
Your GPO enforces 12-character complexity. Half your organisation is on "Company2025!" or a pet's name. The policy says you are compliant. An audit tells you whether you are actually protected.
- Checks GPO minimum length and complexity settings
- Reports on password age and expiry configuration
- Confirms policy exists. Cannot confirm it works.
- Extracts and cracks every actual NTLM hash in your domain
- Tests billions of combinations including "Summer2025!" and "Company1234"
- Identifies accounts that meet policy but are trivially crackable
- Provides cracking time estimates per account class with remediation priorities
What our audits find, consistently.
These are not projections. They are averages from Active Directory password audits conducted for mid-market UK organisations.
Average percentage of passwords our GPU rig cracks in policy-compliant AD environments across UK mid-market organisations.
"Summer2025!" meets most password policies: 12 characters, uppercase, number, special character. On our GPU rig it falls in under a minute.
Zero failed login attempts against your live AD. Zero account lockouts. Zero operational disruption. The entire engagement runs off your network.
What a free tool misses.
Specops Password Auditor and DSInternals are legitimate starting points. Here is where they stop and a professional Active Directory password audit begins.
| Capability | Free Tools (Specops / DSInternals) | Precursor AD Password Audit |
|---|---|---|
| Password cracking | Cannot crack hashes. Checks policy compliance and breach database only. | GPU-accelerated NTLM hash cracking at billions of guesses per second. Multi-phase attacks including dictionary, rules, and brute force. |
| Pattern detection | No pattern analysis. Cannot identify "Company2025!" as weak if it meets policy. | Rule-based pattern detection: season+year variants, company name combinations, keyboard walks, leet-speak substitutions. |
| Breach correlation | Limited HIBP k-anonymity API check. Covers known breaches only. | Full 800M+ NTLM hash corpus comparison plus GPU cracking of passwords not in any breach database. |
| Service accounts | Basic policy compliance check. No Kerberoasting analysis. | Kerberoastable SPN enumeration and offline cracking. Identifies privilege escalation paths through weak service account passwords. |
| Reporting | Automated tool output. No analyst interpretation or remediation roadmap. | Executive summary, technical findings per account class, remediation roadmap, compliance framework mapping. CREST-accredited. |
What the audit tests.
Six layers of analysis. From safe hash extraction through GPU-powered cracking to fine-grained policy review. Every password in your domain, tested against the same techniques an attacker would use.
Safe NTDS.dit Extraction
We extract a Volume Shadow Copy of your ntds.dit file using read-only operations. No agents installed, no changes to your live directory. The extraction takes 15 to 30 minutes and generates zero failed logins. Your users and systems are unaffected throughout.
GPU-Accelerated NTLM Cracking
NTLM hashes are loaded onto our air-gapped cracking rig. Multi-phase attacks: straight dictionary, rule-based mutations, hybrid wordlist combinations, and incremental brute force for short passwords. The cracking cycle runs for 3 to 5 days entirely off your network.
Breached Password Check
Extracted hashes are compared against a corpus of hundreds of millions of known compromised passwords. Any account using a breached password is flagged as a critical finding regardless of whether it meets your current password policy.
Kerberoasting SPN Analysis
Service account passwords are a frequent attack vector. We request Kerberos service tickets for all accounts with registered SPNs and attempt to crack them offline. Weak service account passwords are a reliable path to privilege escalation and are often missed by standard password policy reviews.
Privileged Account Focus
Domain Admins, Enterprise Admins, and service accounts are isolated and reported separately. We identify any privileged account using a crackable password, shared credentials across accounts, or passwords matching standard naming patterns. These are the highest-impact findings in the report.
Fine-Grained Policy Review
We review your GPOs and FGPPs against NCSC password guidance and your applicable compliance framework. We identify policy gaps for privileged account classes and provide configuration recommendations for deny-list enforcement to block common passwords.
How the Engagement Works
Four steps from initial call to remediation roadmap. No production impact.
Scoping Call
30 minutes to confirm domain architecture, account count, and your scheduled maintenance window. Fixed-price quote within 24 hours. No commitment required.
Safe Extraction
On-site or remote. Volume Shadow Copy of ntds.dit via read-only operations. 15 to 30 minutes. Zero changes to your directory. Zero failed logins.
Offline Cracking Cycle
3 to 5 days on dedicated GPU hardware, entirely off your network. Multi-phase attacks: dictionary, rules, breach corpus, and brute force.
Debrief and Report
Executive summary, technical findings per account class, remediation roadmap, and a debrief call to walk through priority actions. Compliance evidence mapping included.
What you receive.
Audit evidence for your compliance framework.
Our reports are formatted for inclusion in audit evidence packs. Executive summary, technical findings, and a remediation roadmap benchmarked against NCSC password guidance. A GPO screenshot proves a rule exists. An AD password audit proves whether anyone followed it.
| Framework | Requirement Addressed | What the Report Provides |
|---|---|---|
| ISO 27001 (Annex A.5.17) | Authentication information management | Statistical report of password strength across user population |
| Cyber Essentials | Strong password policy enforcement | Account-level compliance against CE password requirements |
| PCI DSS (Req. 8.3.6) | Minimum password complexity for in-scope accounts | Cracking success rates for cardholder environment accounts |
| NHS DSPT | Access control and credential management evidence | Percentage of accounts with crackable passwords and service account analysis |
| NCSC Password Guidance | Block commonly used passwords, support long passphrases | Verification that NCSC deny-list recommendations are functioning in practice |
When to commission a password audit.
Pentest Finding Follow-Up
Your penetration test report flagged weak password policy as a high-severity finding. This engagement produces the evidence to quantify the actual exposure and prioritise remediation.
ISO 27001 / Cyber Essentials
Your Annex A.5.17 auditor asked you to demonstrate that password controls are effective, not just configured. A GPO screenshot proves intent. An audit proves outcome.
Vendor Breach Response
A third-party supplier was breached. Your staff reuse passwords. You need to know whether any AD credentials appear in that breach data before your next board call.
Service Account Risk
You have service accounts with passwords set years ago, some with Domain Admin rights. Nobody touches them because they are woven into production systems. You need to know what those passwords look like.
Board Reporting Evidence
The board asked for a credential security metric. You need a number, not a GPO screenshot. The audit produces a statistical report suitable for executive presentation.
Free Tool Ceiling
You ran Specops / DSInternals and flagged 12 breached passwords. Your manager thinks you are fine. You know that tool found the floor, not the ceiling.
Fixed-price. No surprises.
Fixed-price engagements scoped at the outset based on domain architecture and account count. No day-rate estimates. No scope creep.
All tiers include: secure hash extraction, 3 to 5 day cracking cycle on dedicated GPU hardware, executive summary, technical findings report, remediation roadmap, and a debrief call. Fixed-price proposal after a 30-minute scoping call. No purchase commitment required.
Request a Fixed Quote
Find the gaps. Then watch for exploitation.
A password audit tells you which credentials are weak today. Managed detection and response watches for credential-based attacks tomorrow. Precursor delivers both: the assessment and the ongoing protection.
Discuss Your RequirementsFull Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
An Active Directory password audit extracts NTLM password hashes from your domain controller and attempts to crack them offline using GPU-accelerated hardware. Unlike a password policy review, which only checks GPO settings, a password audit tests whether your users’ actual passwords can be cracked regardless of whether they meet your policy on paper. It identifies weak passwords, reused credentials, passwords found in public breaches, and service accounts with exploitable SPNs.
An AD password audit with Precursor Security starts from £2,500 for a single-domain environment with up to 5,000 accounts, and from £4,000 for multi-domain or forest-level engagements with 10,000 or more accounts. Hybrid AD and Entra ID environments are scoped individually after a discovery call. All engagements are fixed-price: we provide a formal proposal with a single line-item price before any work begins. No day-rate estimates. No surprise overruns.
No. The audit is conducted entirely offline. We extract a Volume Shadow Copy of your ntds.dit file using read-only operations. No agent is installed, no changes are made to Active Directory, and no authentication attempts are made against your live domain. The NTLM hashes are cracked on our air-gapped GPU rig, completely disconnected from your network. Your users, helpdesk, and IT team will have no awareness that the audit is taking place.
The extraction itself takes 15 to 30 minutes on-site or remotely. The cracking cycle runs for 3 to 5 days on our dedicated GPU hardware. Report preparation and delivery typically takes a further 2 to 3 business days. From scoping call to report delivery, most engagements are completed within 10 business days.
Your NTLM hashes are loaded onto our air-gapped cracking rig, a machine with no network connectivity, and are never transmitted over the internet. At the conclusion of the engagement, all extracted data is securely wiped from our equipment. A destruction certificate is available on request. We do not retain password hashes, cracked passwords, or any derivative data after report delivery. All processing takes place in the United Kingdom.
Cracked passwords are never disclosed in plain text in the report. We report the account name, the crack time, and the password category (e.g. "common dictionary word", "company name variation", "breach corpus match"). Actual plaintext passwords are communicated only to the named account holder and the engagement sponsor via an encrypted channel, and only where the engagement scope explicitly authorises this. The default report format does not include any plaintext passwords.
Password policies check configuration. They do not test reality. A policy requiring 10 characters, uppercase, and a number allows "Password1!" and "Summer2025!", both of which fall to our GPU rig in under 60 seconds. In policy-compliant environments, our audits consistently find 30 to 50 percent of passwords are crackable. Policy enforcement tells you the rules are in place. An audit tells you whether those rules are producing genuinely strong passwords.
Free tools such as Specops Password Auditor and DSInternals check whether account passwords comply with your current GPO settings and compare hashes against known breach databases via the HaveIBeenPwned k-anonymity API. What they cannot do is GPU-crack NTLM hashes. "Summer2025!" is policy-compliant and does not appear in breach databases, but on our GPU rig it is cracked in under 60 seconds. A professional audit goes beyond what any free scanner can tell you: it reveals what an attacker with a GPU rig could break, not just what already appeared in a public breach.
For hash extraction, we use ntdsutil and Volume Shadow Copy to safely copy the ntds.dit database. For cracking, we use hashcat on a dedicated array optimised for NTLM hash cracking. Breach database comparison runs against a corpus of hundreds of millions of known compromised hashes. All operations run on air-gapped infrastructure with no connection to your network.
We audit on-premises Active Directory and, where applicable, flag the password security implications of your Entra ID hybrid configuration. If you have deployed Azure AD Password Protection in audit mode, we contextualise what the audit logs are telling you and identify gaps: historical passwords set before the policy was active, pattern-based weak credentials that avoid the banned password list, and privileged accounts that require special handling. The Hybrid AD + Entra ID scope is available as a custom engagement.
The report includes: an executive summary with the percentage of accounts cracked and overall risk posture; technical findings broken down by account class (standard users, service accounts, privileged accounts); crack-time distribution analysis; Kerberoastable SPN audit results; breach database correlation findings; GPO and FGPP gap analysis benchmarked against NCSC password guidance; a prioritised remediation roadmap with specific configuration changes; and compliance evidence mapping for ISO 27001, PCI DSS, Cyber Essentials, and NHS DSPT.
The extraction requires an account with the right to create a Volume Shadow Copy of the ntds.dit database. This is typically a Domain Admin or an account with the Replicating Directory Changes privilege. We provide step-by-step guidance for the extraction process, and it can be performed by your own administrator under our supervision if preferred. The extraction takes 15 to 30 minutes and is fully reversible.
No. A password audit is a specific credential hygiene assessment: it extracts and cracks your NTLM hashes to measure password strength across your AD estate. A penetration test is a broader adversarial simulation that attempts to exploit vulnerabilities across your entire internal network. Both are often commissioned together: the penetration test identifies whether an attacker could reach your domain controller, and the password audit reveals what they would find when they get there.
We recommend an annual password audit, timed to your ISO 27001 review cycle or Cyber Essentials recertification, to provide year-on-year trend data. A single engagement establishes your baseline. Subsequent audits demonstrate improvement or identify regression. Organisations that have recently changed password policy, deployed MFA, or experienced a security incident should audit sooner to validate that remediation actions were effective.