Active Directory Password not Required

Hello,

This is something that is not widely known but you can have a blank password on your Active Directory user account even with a password policy in place, or some Password Setting Objects applying.This is due to an attribute named “UserAccountControl” that con override the standard behavior. This attribute is constituted of several bits, with each one a different impact, you can find a full description here :

http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

The one that we’ll talk about today is “UF_PASSWD_NOTREQD”. if you set this bit to 1 on an Active directory account, this account will be allowed to have a blank password if an admin set it.

Active Directory Password not Required – Demo

Active Directory Password not Required – Set Password Not Required & Set Blank Password

As you can see, an admin can set an empty password if the “PasswordNotRequired” is set to $true.

And now, we can logon without taping a password:

Active Directory Password not Required – Logon

This is kind of a security hole in your Active Directory, especially when this is a domain admin account login on a domain controller.

Active Directory Password not Required – Get a List

You can get a list of all the Active Directory users that don’t require password with a simple PowerShell line:

Get-ADUser -Filter {PasswordNotRequired -eq $true}

Note: This requires the Active Directory PowerShell module.

Active Directory Password not Required – Correct the accounts

You can correct the users with:

Get-ADUser -Identity Admin3 | Set-ADUser -PasswordNotRequired $false

Note: You need to set a real password before, or you will get this kind of error:

Set-ADUser : The password does not meet the length, complexity, or history requirement of the domain.

Active Directory Password not Required – Force Password Required

The password you set needs to respect the current password policy which the user depends on.