Blank Passwords, Complex Requeirements and Problems...

  • Thread starter Thread starter MCTS
  • Start date Start date
M

MCTS

Blank Passwords, Complex Requeirements and Problems...

An auditor discovered several accouns with Blank Passwords in a MultiDomain
AD structure arround the world

As far as i know, the Win2003 AD never had a "free" Default Domain Policy to
allow that, the DDP is the Default since the initial build of th AD. Ok,
let's say that an Admin disabled temporarily th DDP for a few moments and
allowed certain accouns to be created with blank passwords. Today, the DDP
is configured to allow only complex passwords.

10 accounsts in the domain (among 1.200 other accounts) were found with
blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was created
on 2004). Any other user don't have that problem, only a sequencial list of
accounts (created by script with the DSADD tool, exactly like any other
account in the domain)
 
Hello,

Are you sure that those accounts are subject to the group policy?
I recommend running a "Resultant Set of Policies" test on the user accounts
in question.
There are several reasons why a given policy will not be applied to a user
account. I would find out first if the policy is being applied to those
accounts or not. If it is not, then you need to track down why the accounts
are exempt.
 
User Account Control set at 512 means that it is set to a pretty basic
level. This is a pretty normal setting for most user accounts.

It is enabled, it is not locked out.

These settings are NOT set:
User must change password at next logon
User cannot change password
Password never expires
Store password using reversible encryption
Smart card is required for interactive logon
Account is trusted for delegation
Account is sensitive and cannot be delegated
Use DES encryption types for this account
Do not require Kerberos preauthentication

I would again look to group policy processing. If the policy is not
restricting those accounts then you need to track down the exclusion.
Perhaps they are a member of a group that is being excluded from processing
that policy. That is just one such reason. Running the "Resultant set of
policy" wizard should be a good place to start.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

Flavio Borup said:
512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]"
what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
Click to expand...
Click to expand...
 
there also a "Password Not Required" bit in userAccountControl attribute.
That is why I asked....
The account would then have: 544 = normal account with "Password Not
Required" bit = on

on a DC execute: adfind -default -s base
this will query the DC to show the attribute values on the domain NC

The output should be something like: (the values with
<<<################################################## are the ones
representing the password/account lockout stuff)

-- >objectClass: domain
objectClass: domainDNS
distinguishedName: DC=ADCORP,DC=DEMO
instanceType: 5
whenCreated: 20080313145130.0Z
whenChanged: 20080314160857.0Z
subRefs: DC=ForestDnsZones,DC=ADCORP,DC=DEMO
subRefs: DC=DomainDnsZones,DC=ADCORP,DC=DEMO
subRefs: CN=Configuration,DC=ADCORP,DC=DEMO
uSNCreated: 4098
uSNChanged: 22313
name: ADCORP
objectGUID: {FE063A98-E95A-4CB2-A7EA-984F62EF360C}
creationTime: 128498936571250000
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
<<<##################################################
lockOutObservationWindow: -18000000000
<<<##################################################
lockoutThreshold: 5 <<<##################################################
maxPwdAge: -155520000000000
<<<##################################################
minPwdAge: 0 <<<##################################################
minPwdLength: 3 <<<##################################################
modifiedCountAtLastProm: 0
nextRid: 1001
pwdProperties: 0 <<<##################################################
pwdHistoryLength: 0 <<<##################################################
objectSid: S-1-5-21-3687581062-375753355-2044987285
oEMInformation: R1
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy: 0001 nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=ADCORP,DC=DEMO
fSMORoleOwner: CN=NTDS
Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
Quotas,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program
Data,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program
Data,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
Objects,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=ADCORP,DC=DEMO
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain
Controllers,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=ADCORP,DC=DEMO
wellKnownObjects:
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=ADCORP,DC=DEMO
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ADCORP,DC=DEMO
isCriticalSystemObject: TRUE
gPLink:
[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0][LDAP://CN={2872CCC6-9F14-4992-890B-94C29FD55EA0},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0]
dSCorePropagationData: 16010101000000.0Z
masteredBy: CN=NTDS
Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 2
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS
Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-IsDomainFor: CN=NTDS
Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
msDS-NcType: 0
dc: ADCORP
Click to expand...

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Flavio Borup said:
512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]"
what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
Click to expand...
Click to expand...
 
Back
Top