Re: [ActiveDir] Strange password issue

[Paul Williams]

Not really, as it's now 512 and can't get to that state without a password meeting complexity.     --Paul ----- Original Message ----- From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5.   5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.   It's a feasible scenario, no?   Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Thu 9/14/2006 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified) will be 546. If you specify 544 it will still create and it will allow a blank password.   If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is   DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To Perform Extended Error: 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0   Which is   F:\DEV\cpp\AdMod>err 52d # for hex 0x52d / decimal 1325 :   ERROR_PASSWORD_RESTRICTION                                    winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for "52d"     A blank password does not have a hash, the system knows it is blank.   You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.   So current or past setting of UAC has no bearing on this problem.       This could occur in four ways that I can think of (in order of likelihood) and speak about   1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared   2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain   3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection.   4. The raw DIT was modified.        joe     -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, September 06, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32.   You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you don’t set a password when you create an enabled user without a password), but you can’t set it back to 512 (normal) when it’s blank, like Al says:   C:\>admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add   AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005   DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects...    DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...   The command completed successfully       C:\>admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe   AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005   DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects...    DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform     ERROR: Too many errors encountered, terminating...   The command did not complete successfully     --Paul     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue   >From what I recall, if the password is not required, then there's no need to check the minimum length.  Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment.  I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern <[EMAIL PROTECTED]> wrote: This is a domain account.   To rehash-   The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL.   Thanks   On 9/6/06, Laura A. Robinson <mailto:[EMAIL PROTECTED]> wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?   Laura   From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue   If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago..   Maybe the PC is not getting the Default Domain Policy?     On 9/6/06, Williams, Robert <mailto:[EMAIL PROTECTED]> wrote: Tom,   This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue   I'm having this weird  issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512.   The Domain is at win2k3 DFL and FFL.   Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?   Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.