Weak password encryption in Group Policy Preference


Since Windows Server 2008, we are able to set local administrator password thanks to Group Policy Preference but, this “encryption” key is available on MSDN, so, anyone can read the clear text password with a few lines of PowerShell. Continue reading

Deny “Password Never Expire” for Everyone


Hereunder a nice “feature” I just learned about :

It’s possible to deny the permission to tick the case “Password Never Expire”, while keeping the possibility to enable/disable the account, and manipulate the other bits of the “UserAccountControl”.

I think this is useful for help desk people and delegated administrators, to ensure they change their passwords regularly, without affecting their ability to work.

This is an ACL at the domain level :


Note : This ACL is defaulted to “Allow”.

I just modified to deny this permissions, and try to tick that case with the “Administrator” account :


This case is click-able, but you can’t apply your modifications :


You have some others permissions that can be pretty handy domain-wide :