Re: Blank Passwords, Complex Requeirements and Problems...



there also a "Password Not Required" bit in userAccountControl attribute. That is why I asked....
The account would then have: 544 = normal account with "Password Not Required" bit = on

on a DC execute: adfind -default -s base
this will query the DC to show the attribute values on the domain NC

The output should be something like: (the values with <<<################################################## are the ones representing the password/account lockout stuff)

-- >objectClass: domain
objectClass: domainDNS
distinguishedName: DC=ADCORP,DC=DEMO
instanceType: 5
whenCreated: 20080313145130.0Z
whenChanged: 20080314160857.0Z
subRefs: DC=ForestDnsZones,DC=ADCORP,DC=DEMO
subRefs: DC=DomainDnsZones,DC=ADCORP,DC=DEMO
subRefs: CN=Configuration,DC=ADCORP,DC=DEMO
uSNCreated: 4098
uSNChanged: 22313
name: ADCORP
objectGUID: {FE063A98-E95A-4CB2-A7EA-984F62EF360C}
creationTime: 128498936571250000
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000 <<<##################################################
lockOutObservationWindow: -18000000000 <<<##################################################
lockoutThreshold: 5 <<<##################################################
maxPwdAge: -155520000000000 <<<##################################################
minPwdAge: 0 <<<##################################################
minPwdLength: 3 <<<##################################################
modifiedCountAtLastProm: 0
nextRid: 1001
pwdProperties: 0 <<<##################################################
pwdHistoryLength: 0 <<<##################################################
objectSid: S-1-5-21-3687581062-375753355-2044987285
oEMInformation: R1
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy: 0001 nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=ADCORP,DC=DEMO
fSMORoleOwner: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=ADCORP,DC=DEMO
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ADCORP,DC=DEMO
isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0][LDAP://CN={2872CCC6-9F14-4992-890B-94C29FD55EA0},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0]
dSCorePropagationData: 16010101000000.0Z
masteredBy: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 2
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-IsDomainFor: CN=NTDS Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-NcType: 0
dc: ADCORP

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Flavio Borup" <fborup@xxxxxxxxxxx> wrote in message news:2283CD29-99C1-4C0A-BBE4-13B3F58E0A57@xxxxxxxxxxxxxxxx
512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> escreveu na mensagem news:OH%23gpt6hIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MCTS" <MCTS@xxxxxxxx> wrote in message news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@xxxxxxxxxxxxxxxx
Blank Passwords, Complex Requeirements and Problems...

An auditor discovered several accouns with Blank Passwords in a MultiDomain AD structure arround the world

As far as i know, the Win2003 AD never had a "free" Default Domain Policy to allow that, the DDP is the Default since the initial build of th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few moments and allowed certain accouns to be created with blank passwords. Today, the DDP is configured to allow only complex passwords.

10 accounsts in the domain (among 1.200 other accounts) were found with blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was created on 2004). Any other user don't have that problem, only a sequencial list of accounts (created by script with the DSADD tool, exactly like any other account in the domain)








.



Relevant Pages

  • Re: Account lockouts
    ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
    (microsoft.public.security)
  • Re: Deleting Admin Account
    ... administrative level account to change the Type of the Admin account ... created to a limited account (or create yourself a third account - non-admin ... The built-in administrator cannot be changed from the administrative level, ... You should password protect (with different passwords would be best) each ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: OT: dealing with keystroke loggers
    ... what's the practical solution to deal with s/w keystroke loggers ... Researcher refutes Microsoft's account of hijacked Hotmail passwords ... passwords were obtained in a massive phishing attack. ... "Everyone who suspects that their account has been compromised should ...
    (alt.sys.pc-clone.dell)
  • RE: Threat vector of running a service using a domain account
    ... Cachedumps are for local logon password dumps. ... Lsadumps retrieve the passwords in plaintext (each char. ... Cachedump, which again, doesn't work so well against the latest versions ... Threat vector of running a service using a domain account ...
    (Security-Basics)
  • RE: Single sign on
    ... How to authentificate an user via telephon? ... > Avatier has a product which would allow users to reset their own passwords ... >> for the person whose account is reset. ... >> would only be accessible by the person whose account is reset. ...
    (Security-Basics)