Re: Blank Passwords, Complex Requeirements and Problems...

Tech-Archive recommends: Fix windows errors by optimizing your registry

User Account Control set at 512 means that it is set to a pretty basic
level. This is a pretty normal setting for most user accounts.

It is enabled, it is not locked out.

These settings are NOT set:
User must change password at next logon
User cannot change password
Password never expires
Store password using reversible encryption
Smart card is required for interactive logon
Account is trusted for delegation
Account is sensitive and cannot be delegated
Use DES encryption types for this account
Do not require Kerberos preauthentication

I would again look to group policy processing. If the policy is not
restricting those accounts then you need to track down the exclusion.
Perhaps they are a member of a group that is being excluded from processing
that policy. That is just one such reason. Running the "Resultant set of
policy" wizard should be a good place to start.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Flavio Borup" <fborup@xxxxxxxxxxx> wrote in message
news:2283CD29-99C1-4C0A-BBE4-13B3F58E0A57@xxxxxxxxxxxxxxxx
512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> escreveu na
mensagem news:OH%23gpt6hIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MCTS" <MCTS@xxxxxxxx> wrote in message
news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@xxxxxxxxxxxxxxxx
Blank Passwords, Complex Requeirements and Problems...

An auditor discovered several accouns with Blank Passwords in a
MultiDomain AD structure arround the world

As far as i know, the Win2003 AD never had a "free" Default Domain
Policy to allow that, the DDP is the Default since the initial build of
th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few
moments and allowed certain accouns to be created with blank passwords.
Today, the DDP is configured to allow only complex passwords.

10 accounsts in the domain (among 1.200 other accounts) were found with
blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
created on 2004). Any other user don't have that problem, only a
sequencial list of accounts (created by script with the DSADD tool,
exactly like any other account in the domain)









.

Relevant Pages

  • Re: Account lockouts
    ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
    (microsoft.public.security)
  • Re: Deleting Admin Account
    ... administrative level account to change the Type of the Admin account ... created to a limited account (or create yourself a third account - non-admin ... The built-in administrator cannot be changed from the administrative level, ... You should password protect (with different passwords would be best) each ...
    (microsoft.public.windowsxp.setup_deployment)
  • RE: Highlighting weak password dangers
    ... The Administrators account does not have a lockout policy! ... You can just run passwords after passwords on it. ... I want to highlight the danger of using weak passwords on servers and ...
    (Security-Basics)
  • Re: Blank Passwords, Complex Requeirements and Problems...
    ... The account would then have: 544 = normal account with "Password Not Required" bit = on ... wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... As far as i know, the Win2003 AD never had a "free" Default Domain Policy to allow that, the DDP is the Default since the initial build of th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few moments and allowed certain accouns to be created with blank passwords. ...
    (microsoft.public.win2000.active_directory)
  • Re: OT: dealing with keystroke loggers
    ... what's the practical solution to deal with s/w keystroke loggers ... Researcher refutes Microsoft's account of hijacked Hotmail passwords ... passwords were obtained in a massive phishing attack. ... "Everyone who suspects that their account has been compromised should ...
    (alt.sys.pc-clone.dell)