A mini thread: I periodically see folks suggest that to prevent weak passwords you should dump AD and compare the hashes against known bad passwords. DO NOT DO THAT. Let me explain.
First, a DC stores passwords in an encrypted portion of the directory database keyed to each machine. To get an offline copy of the database you need to extract those keys. How do you do that? By running the latest "testing" tool de-jour. How well do you trust that tool?
Have you audited that tools source? I've audited many of them. I wouldn't choose to run any on a production DC for reliability reasons alone. Do you want to explain why the random hacking tool you installed to run against a DC just caused a BSOD?

A reboot'll fix it. Maybe.
Or maybe you've chosen one of the myriad "sync" tools that grabs everything by impersonating a DC. Where is that running? On your local machine? As domain admin? What else is running on your machine? Do you have a dedicated machine devoted to domain admin tasks?
Did you really just choose to run a tool you randomly found on the internet *as domain admin*, because someone told you to?
But alas, you've done it. Now you have a big huge file of 10,000 users and their password hashes in a CSV. Whatcha gonna do with that? Upload it to some scanning site? Compare against a known bad list you've downloaded? Using what tools? Where? How?
How do you guarantee that file never leaves the machine it was created on? It's just a random text file. Oh, it's sitting on your desktop because you copied it over to make it easier to analyze? And you have roaming profiles, or OneDrive syncing your profile folders.
And maybe now you have a list of people that have compromised or weak passwords. What do? Force the users to reset them! With equally...weak and... compromised passwords.
There are better solutions.

1. Use a password filter that bans weak or compromised passwords. Reset everyone *if* concerned.
2. Monitor breach notifications for *persons* not *passwords*, and rotate when you see the *person* compromised.
3. Enforce MFA.

/fin
Addendum:

It's not about all nothing here folks. Any one of these things going wrong leads to a very bad day for the org. The cure is worse than the disease.
Not to mention consider the legal and compliance requirements for having a list of everyone's passwords. I sure as hell wouldn't want to have to deal with that.
And MFA isn't the only solution here. Switch to non-password-based credentials like certificates/smart cards, Windows Hello, FIDO, etc.

Get rid of passwords, limit how and when they can be used.
You can follow @SteveSyfuhs.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more