RE: UF_PASSWD_NOTREQD user account flag

From: dave kleiman (dave_at_isecureu.com)
Date: 03/16/05

  • Next message: Wozny, Scott (US - New York): "RE: UF_PASSWD_NOTREQD user account flag" 
    To: "'Petr Merta'" <pmerta@lynguent.com>, <focus-ms@securityfocus.com>
Date: Wed, 16 Mar 2005 13:43:58 -0500

    Petr,

    > can anybody here explain the real meaning of
    > UF_PASSWD_NOTREQD flag of Windows user account?

    It means password not required, or from the GUI's setting your minimum
    password length to "0".

    I've found
    > bunch of user accounts in W2K domain with this flag set; when
    > I've tried to perform interactive or network logon with them,
    > it failed.

    You can still have that flag set, yet have other policies/security options
    that require accounts to have passwords to be able to log in i.e. the
    setting "Limit local account use of blank password to console" and remember
    by default most remote (TS, RDP, Remote Registry, Telnet) services require
    passwords.

     I've found no descriptive documentation besides of
    > vague "password not required" statement. My questions are:
    > -- what's the actual meaning of this flag?

    It really really means no password required, it does not mean that some
    other policy setting might not override it.

    > -- are there some circumstances under which it is possible to
    > logon to account with this flag set (without password)?

    Yes it is possible. Local on a box if the security policy allows it or
    turning off the no blank password requirement of some service etc.

    >
    > Thanks for any info and/or reference.
    >

    Dave Kleiman

    www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Wozny, Scott (US - New York): "RE: UF_PASSWD_NOTREQD user account flag"

    Relevant Pages

    • Re: Howto Determine AD User Accts Having Passwords < 6 characters
      ... Configure the policy setting on domain level and inform your users about the new setting. ... password to one with at least 6 characters and if they fail to do so ... The problem is that there are many 'generic' accounts which do not ...
      (microsoft.public.windows.server.active_directory)
    • Re: Remote Registry
      ... recommendations of XP service configurations are actually pretty good. ... > I turned off Remote Registry in the admin tool services, ... > default accounts that came with the install. ... > I am a single user, know one else uses the machine, I don't knead to login ...
      (microsoft.public.windowsxp.security_admin)
    • Remote Registry
      ... I am fairly new to XP security, and was wondering if someone could give me ... I turned off Remote Registry in the admin tool services, ... default accounts that came with the install. ... I am a single user, know one else uses the machine, I don't knead to login ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Effective Policy Setting for IWAM_Machinename account
      ... new GPO for the OU. ... Then add the accounts you need to that user right. ... Make sure that the Effective Policy Setting is also selected (this ...
      (microsoft.public.win2000.security)