Re: Blank Passwords, Complex Requeirements and Problems...



there also a "Password Not Required" bit in userAccountControl attribute. That is why I asked....
The account would then have: 544 = normal account with "Password Not Required" bit = on

on a DC execute: adfind -default -s base
this will query the DC to show the attribute values on the domain NC

The output should be something like: (the values with <<<################################################## are the ones representing the password/account lockout stuff)

-- >objectClass: domain
objectClass: domainDNS
distinguishedName: DC=ADCORP,DC=DEMO
instanceType: 5
whenCreated: 20080313145130.0Z
whenChanged: 20080314160857.0Z
subRefs: DC=ForestDnsZones,DC=ADCORP,DC=DEMO
subRefs: DC=DomainDnsZones,DC=ADCORP,DC=DEMO
subRefs: CN=Configuration,DC=ADCORP,DC=DEMO
uSNCreated: 4098
uSNChanged: 22313
name: ADCORP
objectGUID: {FE063A98-E95A-4CB2-A7EA-984F62EF360C}
creationTime: 128498936571250000
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000 <<<##################################################
lockOutObservationWindow: -18000000000 <<<##################################################
lockoutThreshold: 5 <<<##################################################
maxPwdAge: -155520000000000 <<<##################################################
minPwdAge: 0 <<<##################################################
minPwdLength: 3 <<<##################################################
modifiedCountAtLastProm: 0
nextRid: 1001
pwdProperties: 0 <<<##################################################
pwdHistoryLength: 0 <<<##################################################
objectSid: S-1-5-21-3687581062-375753355-2044987285
oEMInformation: R1
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy: 0001 nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=ADCORP,DC=DEMO
fSMORoleOwner: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=ADCORP,DC=DEMO
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ADCORP,DC=DEMO
isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0][LDAP://CN={2872CCC6-9F14-4992-890B-94C29FD55EA0},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0]
dSCorePropagationData: 16010101000000.0Z
masteredBy: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 2
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-IsDomainFor: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-NcType: 0
dc: ADCORP

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Flavio Borup" <fborup@xxxxxxxxxxx> wrote in message news:2283CD29-99C1-4C0A-BBE4-13B3F58E0A57@xxxxxxxxxxxxxxxx
512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> escreveu na mensagem news:OH%23gpt6hIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MCTS" <MCTS@xxxxxxxx> wrote in message news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@xxxxxxxxxxxxxxxx
Blank Passwords, Complex Requeirements and Problems...

An auditor discovered several accouns with Blank Passwords in a MultiDomain AD structure arround the world

As far as i know, the Win2003 AD never had a "free" Default Domain Policy to allow that, the DDP is the Default since the initial build of th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few moments and allowed certain accouns to be created with blank passwords. Today, the DDP is configured to allow only complex passwords.

10 accounsts in the domain (among 1.200 other accounts) were found with blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was created on 2004). Any other user don't have that problem, only a sequencial list of accounts (created by script with the DSADD tool, exactly like any other account in the domain)








.