Yes, there is. The password policy is checked as soon as the password entered (using characters) is written into the directory, whether it is a new password or a changed password. If a password hash is written into the directory the system cannot check if the password that generated the hash meets the password policy or not. Migration tools like ADMT and Quest DMW migrate passwords by migrating the hash and not the actual password. For those accounts that were migrated, the password policy comes into effect as soon as the user is forced to change the password, but until that time.... You mention Quest's migration tool. Are you saying the user was migrated from another forest/domain outside the existing forest and where it was created using ADUC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2006-09-06 16:38 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>