Re: blank password in W2K Pro workstation even when policy set

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 11/17/05

• Next message: djtony: "Re: question about log on to a group of computer"
• Previous message: Steven L Umbach: "Re: Restrict both local machine accounts and domain accounts from login"
• Maybe in reply to: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
• Next in thread: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Nov 2005 20:23:19 -0500

Sounds like the accounts are created with UF_PASSWD_NOTREQD set on the user flags.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
kasommer wrote:
> previously mis-posted to the VPC group......
> 
> I'm trying to work with some folks who are being required to lock down their
> Win2K workstations. The guidelines however were written as though the
> workstations were on a domain and not standalone.
> 
> The real kicker is that after setting local password policies such as min
> length, complexity etc, the local admin can create a new user account with a
> blank password via "Users and Passwords". And yes, "Require users to logon
> with a password" is checked.
> 
> I've been able to recreate this with a Virtual PC load Win2K SP3 and SP4.  
> With the local pocily set to a minimum length of 8 characters and copmlexity 
> rules turned on I'm able to create a user with a blank password.  
> 
> I didn't think that would be allowed by that policy.  Ideas???  Suggestions??
> 
> thanks,
> Kim
> 

• Next message: djtony: "Re: question about log on to a group of computer"
• Previous message: Steven L Umbach: "Re: Restrict both local machine accounts and domain accounts from login"
• Maybe in reply to: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
• Next in thread: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: dsquery ... Joe Richards Microsoft MVP Windows Server Directory Services ... The functionality level raised OK, ... > there are accounts that haven't logged on in the last 4 weeks. ... (microsoft.public.windows.server.active_directory) Re: Password Synchronization ... Don't create any local accounts and don't give them administrator rights so they ... Joe Richards Microsoft MVP Windows Server Directory Services ... (microsoft.public.win2000.active_directory) Re: changing passwords ... Joe Richards Microsoft MVP Windows Server Directory Services ... Is there a way to scan a domain looking for these accounts being used on machines?" ... (microsoft.public.windows.server.active_directory) Re: User account attributes greyed out ... Joe Richards Microsoft MVP Windows Server Directory Services ... ACLs are> identical between older accounts and newly> created accounts. ... >>>>upgrade can be administered by Domain Admin accounts> ... However, newly>>>created domain admin accounts can administer newly>>>created user accounts, all attributes can be modified. ... (microsoft.public.win2000.active_directory) Re: Disabling and moving dead computers accounts ... Joe Richards Microsoft MVP Windows Server Directory Services ... accounts in to designated OU folder using DSquery, DSmod, DSmove.. ... Try to use OldCmd tool from Joe to generate report of such accounts and then combine this with some script or other tool to move accounts to proper OU. ... (microsoft.public.win2000.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint