Re: Password policy & userAccountControl ?
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Sun, 5 Mar 2006 14:30:07 -0500
To complement (hopefully) what Neil has stated:
You might want to look at the ALTools which can be found on the MS Website.
There are several neat utilities included. One of them is the acctinfo.dll
which will add an extra tab in the ADUC MMC (called Additional Account
Info). You might see several different values.
I *think* that you normally want this to be set to 512.
512 = UF_NORMAL_ACCOUNT
544 = UF_NORMAL_ACCOUNT
UF_PASSWD_NOTREQD
66088=UF_NORMAL_ACCOUNT
UF_PASSWD_NOTREQD
UF_DONT_EXPIRE_PASSWD
You should be able to change them manually, via ldifde via scripting, via
ADMODIFY.net (I think....)
You really do not want to see 66088 on normal user account objects.
--
Cary W. Shultz
Roanoke, VA 24012
"Neil Ruston" <NeilRuston@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F13F9ECF-0536-4E5A-B415-54C27A5AB1E7@xxxxxxxxxxxxxxxx
1. An admin *cannot* set a password that does not adhere to the pw policy
2. Users may have set their pw before the pw policy was defined
3. Users with non-expiring passwords may have non-compliant pw's since
they
were set before the pw policy was defined and have never changed since
their
pw since then.
You should:
a. Remove the non-expiring flag for all users
b. Ensure users change their pw on a regular basis via the domain GPO
c. Ensure your pw policy is correct and appropriate to the org
d. Check your a/c lockout policy too
neil
"John" wrote:
A security audit in company states that a large amount of users are
allowed to use weak/zero passwords.
The domain policy setting says that weak/zero password isn't allowed!
Domain controllers : W2K3 Sp1
The clue:
A closer look shows that a "weak/zero password user" can't make a weak
password by them self.
But an administrator CAN do it, by resetting the password. Have tried
that.
It seems to be users who have been auto-created / migrated who have
this "weak/zero password" possibility (old users - created for some
years ago).
On a newly created user couldn't even the administrator make a
weak/zero password for the user. This is NORMAL.
Want to stop the possibility for setting weak/zero passwords by
helpdesk and administrator peoples.
Any idea about which user attribute to look for or ideas to solve this
behavior ?
Dumped user account's with ldifde export and it looks that users with
: "userAccountControl : 544" are users who have the possibility for
password not required, which not follows the domain password policy.
Any tip how to fix this one?
John
FYI : Got this answer in another windows newsgroup and that didn't
work:
<I think your issue is with passwords that were set before the
<policy on password strength was defined to be in force.
<To get the old non-compliant passwords use a password
<expiration and so after one pass through the expiration time
<all account will have needed to reset their passwords, at which
<time the policy will be enforced on them.
<It is not my experience that an admin can set a password
<that fails to meet the policy.
<--
<Roger Abell
<Microsoft MVP (Windows Server : Security)
.
- References:
- Password policy & userAccountControl ?
- From: John
- Password policy & userAccountControl ?
- Prev by Date: Re: Windows 2003 Server R2 compatibility
- Next by Date: Re: AD backup domain controller question.
- Previous by thread: Password policy & userAccountControl ?
- Next by thread: Re: Password policy & userAccountControl ?
- Index(es):
Relevant Pages
|
