Re: blank password in W2K Pro workstation even when policy set
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/17/05
- Next message: Robert Bollinger: "Re: Windows logon process"
- Previous message: Jim Matthews: "Re: User bypasses security"
- Maybe in reply to: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
- Next in thread: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 22:33:02 -0600
I have never used Control Panel to add users so I tried it and it works just
as you described - user account with no password. Even worse the account is
not configured to require user to change password at next logon and the user
is added to the power users group. I was able to logon as the user with a
blank password. I also tried XP Pro. In XP Pro you can also create a user
with a blank password but the account is configured to require the user to
change password at next logon. So I tried to logon as the user under XP Pro
and was immediately told I need to change my password and it had to conform
to password policy. Also by default XP Pro will not allow network access via
a user account with a blank password. So XP Pro is much more secure than
Windows 2000 in the regard of creating user accounts that conform to
password policy. All I can suggest is that you try to configure Group Policy
to restrict access to the Control Panel as described in the link below or
have them upgrade to XP Pro which would be the best option. --- Steve
"kasommer" <kasommer@discussions.microsoft.com> wrote in message
news:BA23A928-918F-4D43-AA75-27FB9D882BDB@microsoft.com...
>I did as you suggested. I still have the same failure.
>
> here's the result of net accounts on the machine I'm testing this on:
> ======
> C:\Documents and Settings\Administrator>net accounts
> Force user logoff how long after time expires?: Never
> Minimum password age (days): 0
> Maximum password age (days): 42
> Minimum password length: 8
> Length of password history maintained: None
> Lockout threshold: Never
> Lockout duration (minutes): 30
> Lockout observation window (minutes): 30
> Computer role: WORKSTATION
> The command completed successfully.
> =========
>
> my actions
> Open Control Panel
> Open Users and Passwords
> Click on Add...
> Add a user and leave nothing in the password field. accepting all
> defaults.
> User is created and can be logged on.
>
> If I go through Local Users and Groups then I have to make a password
> compliant with the rules.
>
> wierd. And the contractor is going to require a waiver on his NISPOM
> audit
> on this machine if we don't figure this out.
>
> thanks,
> Kim
>
> "Steven L Umbach" wrote:
>
>> I have heard about this behavior more than a few times so I just tested
>> it
>> out on a W2K SP4 computer of mine. I was able to get password policy to
>> work
>> and I specifically enabled password complexity and set the minimum
>> password
>> length to seven characters. When I tried to add a user with a blank or
>> less
>> than prescribed password I was not allowed to. What I did do is to run
>> the
>> command secedit /refreshpolicy machine_policy /enforce to make sure that
>> the
>> security policy was applied or a reboot should do the same thing. On your
>> computer run the command net accounts to see what it shows and also check
>> the password policy settings in Local Security policy to make sure that
>> the
>> local setting and effective setting are the same which it should be after
>> a
>> forced GP refresh or reboot. --- Steve
>
- Next message: Robert Bollinger: "Re: Windows logon process"
- Previous message: Jim Matthews: "Re: User bypasses security"
- Maybe in reply to: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
- Next in thread: Steven L Umbach: "Re: blank password in W2K Pro workstation even when policy set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
