Hi,
I realise that exploiting this issue would require domain admin rights, but it still seems unnecessarily insecure to me: Scenario: A Windows domain with an n day password expiration policy and Windows 2000 SP4 PCs with all the latest security patches. I know that a Windows user will have to change their password today, so I set AutoAdminLogon to 1 in their registry. When they switch off their PC and go home I am able to log on to their PC, using their account, but without requiring a password. Surely this can't be the way it's supposed to work?! I thought that the DefaultPassword registry entry had to contain the password for DefaultUserName before auto logon would work yet it seems to work if DefaultPassword is missing. Can anyone else confirm this behaviour or suggest what I may have done wrong? Cheers, Mike --------------------------------------------------------------------------- ---------------------------------------------------------------------------
