Re: [ActiveDir] Strange password issue
No worries. It'sa big thread that has spawned serveral different threads of discussion. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 5:32 PM Subject: RE: [ActiveDir] Strange password issue OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled. Sorry, Paul. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user
Re: [ActiveDir] Strange password issue
Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if t
RE: [ActiveDir] Strange password issue
Paul, did you try this? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to c
RE: [ActiveDir] Strange password issue
The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not r
RE: [ActiveDir] Strange password issue
Hell I posted it in the post I wrote Deji, take a peek... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 15, 2006 10:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Paul, did you try this? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=
RE: [ActiveDir] Strange password issue
OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled. Sorry, Paul. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many e
RE: [ActiveDir] Strange password issue
The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account
RE: [ActiveDir] Strange password issue
I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my a
Re: [ActiveDir] Strange password issue
Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1
Re: [ActiveDir] Strange password issue
My understanding was that the Password Policies are applied similarly to any other Group Policy. I do recall doing some testing some time ago where by using various security filtering on Group PoliciesI was able to set up two DC's with two different effective policies and so two different values for Password length. The thing to remember is that domainpassword changes etc are processed by a domain controller. You therefore need to check whether the Password policy is being applied to all of the domain controllers. As Larry said, if there is blocking on the OU for Domain Controllers and the Default Domain Policy does not have "No Override" then the DC will not get the policy. Similarly, it is possible that security filtering has been applied to the Default Domain Policy that stops it from getting applied etc. However these things would be "permanent" so you would still have a DC with the Policy not applied. However, my guess is that something was wrong a month ago on a Domain Controller which processed the Passwordreset. It is possible that it is still a problem (i.e. if blocking was the culprit), but it is more likely to have cleared up. Is it possible that there was a DC added briefly at the time that was not processing Policies for some reason? Is it feasible to check all of the event logs on all DC's at the time the password was created? It may show Group Policy Processing errorsat the time. Alan CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 7:06 PM Subject: Re: [ActiveDir] Strange password issue Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue
Re: [ActiveDir] Strange password issue
Can you re-enable the source and see if it allows you to logon with the blank password? Based on the description, I doubt it, but it would be interesting to see. Since the user logged on with the old password for a month prior to having this happen, then something else outside the process(?) occurred that caused the blank password. In line with the rest of the questions to date, what was the last modification date of the domain password policy? I realize there's a lot of speculation that could go on. But I am curious how the user's password got set to be nothing - especially since it was after the migration had already set it properly. What other processes can touch and modify the user objects? Any IdM products in use? Have you confirmed that the password is blank personally? Or was that done via some other team member? Al On 9/7/06, Tom Kern [EMAIL PROTECTED] wrote:Sorry, I was distracted by other stuff here. We are in a migration state with 2 Forests. Source forest is win2k native and target forest is win2k3 FFL/DFL. Both Forests have same password policy Using Quest AD Migration Manager. The user was created in the source and then migrated about a month ago. The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff). Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week whenthe system would no longer accept his password and then he tried the null password route and it worked. Then, i tried logging in as that user with a null password and confirmed it. When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set. When I looked in the history in the Quest console, I saw the user was migrated with copy password set to true. A seperate provisioning group creates users. They have been delegated that right through AD. We only have 2 EA/DA's here and i'm one of them. I delegated the Quest util to allow this same group to migrate users. Once migrated, the user can no longer log into the source forest. We have no other directory servers. At the moment,users can only change their passwords when they expire and windows prompts them. The Change Password button on the gina has been disabled via GPO. This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables. Thanks for all your help and interest,guys. On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas
Re: [ActiveDir] Strange password issue
The only way that I'm aware of where you can have different lengths (without your own filters, etc.) is if you deny the domain controllers from reading the necessary attributes on the NC head. By doing this, and then having multiple policies, I believe you can achieve what you are talking about. I've not tested this - I'm basing this on a conversation I had with someone who has tested this (Mr. Wells) -although we had had a lot to drink at the time, and I might have got things muddled up (very possible). Under those circumstances, I assume the values defined in the GPO work. It seems to be that the DCs favour the values on the NC head. The values on the NC head are written by the PDCe -that reads the domain polcies and applies the values to the domain. I haven't got round to getting my source access sorted yet, so can't verify. Hopefully someone with access to the code can chip in here. I'm not disputing what you're saying re. blocking. That will probably stop the PDCe applying this. However, I don't think the other DCs process this in the same way. Unless there's a fall back, and you're achieving that via specific filtering, e.g. DC computer objects or custom groups, i.e. some DCs getting one, and others getting another... Interesting. I'll have to try and repro (which is going to take some time with the current work load). --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 3:02 PM Subject: Re: [ActiveDir] Strange password issue My understanding was that the Password Policies are applied similarly to any other Group Policy. I do recall doing some testing some time ago where by using various security filtering on Group PoliciesI was able to set up two DC's with two different effective policies and so two different values for Password length. The thing to remember is that domainpassword changes etc are processed by a domain controller. You therefore need to check whether the Password policy is being applied to all of the domain controllers. As Larry said, if there is blocking on the OU for Domain Controllers and the Default Domain Policy does not have "No Override" then the DC will not get the policy. Similarly, it is possible that security filtering has been applied to the Default Domain Policy that stops it from getting applied etc. However these things would be "permanent" so you would still have a DC with the Policy not applied. However, my guess is that something was wrong a month ago on a Domain Controller which processed the Passwordreset. It is possible that it is still a problem (i.e. if blocking was the culprit), but it is more likely to have cleared up. Is it possible that there was a DC added briefly at the time that was not processing Policies for some reason? Is it feasible to check all of the event logs on all DC's at the time the password was created? It may show Group Policy Processing errorsat the time. Alan CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 7:06 PM Subject: Re: [ActiveDir] Strange password issue Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mai
RE: [ActiveDir] Strange password issue
If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Strange password issue
If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. maybe I misundarstand what you're saying, but this is not my experience. More than once I've yanked a workstation from the domain and tried to apply a less restricted password to a local account, and I couldn't -- the domain policy persisted tyrannically. From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. winmail.dat
Re: [ActiveDir] Strange password issue
Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Any password policy, regardless as to where it is linked in the domain, will apply to any and all computer accounts within scope. The domain password policy applies to all computer objects in the domain (within scope, i.e. not filtered). The only thing that is special about the domain password policy (a GPO with account policy configured and linked to the domainDNS object) is that the PDCe applies the values set therein to the necessary attributes re. pwd policy on the domain NC head -which is why you have to link your GPO with the settings you want to the domain and can't link it to the DC's OU- which is where the DCs read that info. from. --Paul From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
But it's possible that someone changed this policy, created the account, and changed it back. I've done this myself (several times for service accounts to avoid [HP] protect tool's obfuscation process). It might not even have been intentional. One admin could have messed with the policy and several minutes later (that's all its going to take if you're in the same site as the PDCe) another admin created the user. --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Strange password issue
UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Strange password issue
But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512
RE: [ActiveDir] Strange password issue
Yes, there is. The password policy is checked as soon as the password entered (using characters) is written into the directory, whether it is a new password or a changed password. If a password hash is written into the directory the system cannot check if the password that generated the hash meets the password policy or not. Migration tools like ADMT and Quest DMW migrate passwords by migrating the hash and not the actual password. For those accounts that were migrated, the password policy comes into effect as soon as the user is forced to change the password, but until that time You mention Quest's migration tool. Are you saying the user was migrated from another forest/domain outside the existing forest and where it was created using ADUC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2006-09-06 16:38 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Strange password issue
This brings up a very good point, HOW is it checking the password length? As we pointed out earlier once the hash is created there should not be a way to easily check the password length. Andrew Fidel Paul Williams [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/07/2006 07:35 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: den 6 september 2006 21:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration
Re: [ActiveDir] Strange password issue
Does it have a hash though? There's no password. It's null. I don't know the answer to that. It could, I suppose, pad it out but...who knows? --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Sent: Thursday, September 07, 2006 3:10 PM Subject: Re: [ActiveDir] Strange password issue This brings up a very good point, HOW is it checking the password length? As we pointed out earlier once the hash is created there should not be a way to easily check the password length. Andrew Fidel "Paul Williams" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/07/2006 07:35 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issuePressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDi
RE: [ActiveDir] Strange password issue
Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears
RE: [ActiveDir] Strange password issue
Yep, your e-mail definitely hit the list. I'm confused as to why the 512 UAC flag is making anybody think that passwd_notreqd is set. A setting of 512 indicates a normal account. 544 would indicate a normal account with passwd_notreqd set. Laura If that is the e-mail you are talking about. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, September 07, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: den 6 september 2006 21:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up
Re: [ActiveDir] Strange password issue
Yeah, I think I saw your post last night. Mail was taking 70 minutes to come through last night. It's not really academic or obsolete, as this proves that it couldn't have been 544 and set back to 512. Which means that it is more than likely the password, or lack of, was set when the policy wasn't in place. --Paul - Original Message - From: Laura A. Robinson To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 4:56 PM Subject: RE: [ActiveDir] Strange password issue Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9
Re: [ActiveDir] Strange password issue
I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange
Re: [ActiveDir] Strange password issue
Sorry, I was distracted by other stuff here. We are in a migration state with 2 Forests. Source forest is win2k native and target forest is win2k3 FFL/DFL. Both Forests have same password policy Using Quest AD Migration Manager. The user was created in the source and then migrated about a month ago. The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff). Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week whenthe system would no longer accept his password and then he tried the null password route and it worked. Then, i tried logging in as that user with a null password and confirmed it. When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set. When I looked in the history in the Quest console, I saw the user was migrated with copy password set to true. A seperate provisioning group creates users. They have been delegated that right through AD. We only have 2 EA/DA's here and i'm one of them. I delegated the Quest util to allow this same group to migrate users. Once migrated, the user can no longer log into the source forest. We have no other directory servers. At the moment,users can only change their passwords when they expire and windows prompts them. The Change Password button on the gina has been disabled via GPO. This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables. Thanks for all your help and interest,guys. On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail… You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto: [EMAIL
RE: [ActiveDir] Strange password issue
Tom, This is just a stab in the dark but is it possible that this users password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
The password might have been set blank before the password policy was set. William From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: 06 September 2006 15:39 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.
Re: [ActiveDir] Strange password issue
If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Strange password issue
This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
How was the account created? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Strange password issue
Tom, I believe that the passwd_notereqd does in fact override the DDP. Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] Tom Kern [EMAIL PROTECTED] To ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject Re: [ActiveDir] Strange password issue 09/06/2006 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
ADUC. On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: How was the account created? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 1:10 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Strange password issue
>From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
I'm confused as to why the 512 UAC flag is making anybody think that passwd_notreqd is set. A setting of 512 indicates a normal account. 544 would indicate a normal account with passwd_notreqd set. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 2:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue Tom, I believe that the passwd_notereqd does in fact override the DDP. Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] Tom Kern [EMAIL PROTECTED] To ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject Re: [ActiveDir] Strange password issue 09/06/2006 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient
RE: [ActiveDir] Strange password issue
If it's 512, then that pwd not req is not true. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.