Password policy & userAccountControl ?

From: John
Date: Fri, 03 Mar 2006 16:32:16 +0100

A security audit in company states that a large amount of users are
allowed to use weak/zero passwords.
The domain policy setting says that weak/zero password isn't allowed!
Domain controllers : W2K3 Sp1

The clue:
A closer look shows that a "weak/zero password user" can't make a weak
password by them self.
But an administrator CAN do it, by resetting the password. Have tried
that.
It seems to be users who have been auto-created / migrated who have
this "weak/zero password" possibility (old users - created for some
years ago).
On a newly created user couldn't even the administrator make a
weak/zero password for the user. This is NORMAL.
Want to stop the possibility for setting weak/zero passwords by
helpdesk and administrator peoples.

Any idea about which user attribute to look for or ideas to solve this
behavior ?

Dumped user account's with ldifde export and it looks that users with
: "userAccountControl : 544" are users who have the possibility for
password not required, which not follows the domain password policy.
Any tip how to fix this one?

John

FYI : Got this answer in another windows newsgroup and that didn't
work:
<I think your issue is with passwords that were set before the
<policy on password strength was defined to be in force.
<To get the old non-compliant passwords use a password
<expiration and so after one pass through the expiration time
<all account will have needed to reset their passwords, at which
<time the policy will be enforced on them.

<It is not my experience that an admin can set a password
<that fails to meet the policy.

<--
<Roger Abell
<Microsoft MVP (Windows Server : Security)

.

Follow-Ups:
- Re: Password policy & userAccountControl ?
  - From: Brian

Prev by Date: Re: Local Administrator
Next by Date: Re: Local Administrator
Previous by thread: Windows 2003 Server R2 compatibility
Next by thread: Re: Password policy & userAccountControl ?
Index(es):
- Date
- Thread

Relevant Pages

Re: User account - password attribute ?
... policy on password strength was defined to be in force. ... The domain policy setting says that weak/zero password isn't allowed! ... A closer look shows that a "weak/zero password user" can't make a weak ... But an administrator CAN do it, ...
(microsoft.public.windows.server.security)
Re: Password policy & userAccountControl ?
... To complement what Neil has stated: ... Users may have set their pw before the pw policy was defined ... A closer look shows that a "weak/zero password user" can't make a weak ... But an administrator CAN do it, ...
(microsoft.public.windows.server.active_directory)
User account - password attribute ?
... A security audit in company states that a large amount of users are ... The domain policy setting says that weak/zero password isn't allowed! ... A closer look shows that a "weak/zero password user" can't make a weak ... But an administrator CAN do it, ...
(microsoft.public.windows.server.security)