I saw it this morning. Not sure if it was last night, today, yesterday...
curiuos thread though.  I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value.
Tom, how about some more details?
What clued you into the user having a blank password?
What does the user say about it?  How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank?
I think some history of the issue and how the user came to be configured this way is needed.
Also, what does the user community use to change passwords?  Any meta directories? Any password management solutions in place?

On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.
BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul Williams
Sent: Thursday, September 07, 2006 7:36 AM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue

But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy.  Try it.  The other half of my post shows the error.  I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this.
p.s. your query, while illustrating the point, isn't really appropriate.  The following is how you should be looking for people with this bit set.
Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.
----- Original Message -----
Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user then gets UAC = 544.
Try doing a ldap query for (&(objectClas=user)(useraccountcontrol=544))
You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.
Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO.

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue


Pressed send before I finished typing!  : (


Following on from the last mail…


You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back.  Perhaps someone did this?


If you test this, when you set the policy to zero it says no password required (in the Window).






From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


>From what I recall, if the password is not required, then there's no need to check the minimum length.  Since it would be overridden at the user object level, that does not affect the domain.

I don't recall the UAC bitmask, and I'm not going to figure it out at the moment.  I'll take your word that the password not required is true for this user.

If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length.

On 9/6/06, Tom Kern < [EMAIL PROTECTED]> wrote:

This is a domain account.


To rehash-


The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my attention that the user can log in with no password.

I confirmed.

The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).

The domain/forest is at w2k3 FL.




On 9/6/06, Laura A. Robinson < [EMAIL PROTECTED] > wrote:

Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?




From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern

Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.

This policy has been in effect for a couple of years and the account was created a month ago..


Maybe the PC is not getting the Default Domain Policy?



On 9/6/06, Williams, Robert < [EMAIL PROTECTED] > wrote:



This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect?

Robert Williams

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue


I'm having this weird  issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.


The Domain is at win2k3 DFL and FFL.


Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?



2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.



Reply via email to