How enforce password required?

  • Thread starter Thread starter scubaal
  • Start date Start date
S

scubaal

Environment: ADWin2k3

we are currently being audited :(
and the auditor has used a tool (dumpsec) against our AD that
indicates that a number of our user accounts have passwordrequired=No
ie the accounts aren't required to have a password.

The issues is that when I use the standard AD tools like AD Users and
Computers snap in I cant see this property? Where is it? How can I set
these accounts so that they are required to have a password?

Al.
PS I know I *could* ask the auditor but I'd rather have it fixed by
the time they turn up :)
 
scubaal said:
Environment: ADWin2k3

we are currently being audited :(
and the auditor has used a tool (dumpsec) against our AD that
indicates that a number of our user accounts have passwordrequired=No
ie the accounts aren't required to have a password.

The issues is that when I use the standard AD tools like AD Users and
Computers snap in I cant see this property? Where is it? How can I set
these accounts so that they are required to have a password?

Al.
PS I know I *could* ask the auditor but I'd rather have it fixed by
the time they turn up :)
Click to expand...

A bit of the userAccountControl attribute determines this. The filter for
users that are not required to have a password would be:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))

You can set this filter in ADUC in View, Filter Options..., select "Create
custom filter", click "Customize...", select the Advanced tab, and enter the
above LDAP query. Only users not required to have a password will show in
ADUC.
 
I cannot find how to change this setting in ADUC. Maybe someone else knows
how. This can probably be modified with command line tools, like one of Joe
Richards' from his web site. Below is a VBScript program that removes this
setting for all users that have the bit set:
===================
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, objUser, lngFlag

Const ADS_UF_PASSWD_NOTREQD = &H20

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire domain.
strBase = "<LDAP://" & strDNSDomain & ">"

' Search for all users not required to have a password.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=32))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to the user object.
Set objUser = GetObject("LDAP://" & strDN)
' Retrieve value of userAccountControl.
lngFlag = objUser.userAccountControl
' Toggle bit for password not required.
lngFlag = lngFlag Xor ADS_UF_PASSWD_NOTREQD
' Save new value.
objUser.userAccountControl = lngFlag
objUser.SetInfo
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
===========================
This could be modified to just display the user Distinguished Names (comment
out the SetInfo so no changes are made). Or, it could be modified to display
the name and prompt if you really want to do this.
 
Read inline please.
In
scubaal said:
Environment: ADWin2k3

we are currently being audited :(
and the auditor has used a tool (dumpsec) against our AD that
indicates that a number of our user accounts have passwordrequired=No
ie the accounts aren't required to have a password.

The issues is that when I use the standard AD tools like AD Users and
Computers snap in I cant see this property? Where is it? How can I set
these accounts so that they are required to have a password?

Al.
PS I know I *could* ask the auditor but I'd rather have it fixed by
the time they turn up :)
Click to expand...

Download and install Microsoft Baseline Security Analyzer.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Thanks for the replies all.
I can now find the property using LDAP queries and we can identify
accounts that have it set, but it still doesnt seem possible to set or
unset it in the ADUC?

If that is the case how did it get set for only a few of our users?
Al.
 
This value on users usually means someone used a script or tool that
didn't know to clear that flag after object creation.

For computer accounts, ADUC has a bug in it that will leave that value set.

If you want to quickly correct this across your entire forest for all
users you can do something like (all one line)

adfind -gcb -bit -f
"&(samaccountname=805306368)(useraccountcontrol:AND:=32)"
useraccountcontrol -adcsv | admod useraccountcontrol::{{.:CLR:32}} -unsafe





--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
scubaal said:
Thanks for the replies all.
I can now find the property using LDAP queries and we can identify
accounts that have it set, but it still doesnt seem possible to set or
unset it in the ADUC?

If that is the case how did it get set for only a few of our users?
Al.
Click to expand...

Joe's ADFind command can do this, and he posted the syntax. The VBScript
program I posted earlier should also work.
 
Back
Top