Active Directory user accounts can have a blank password and ignore the password policy if the The PASSWD_NOTREQD userAccountControl bit is set

When you create a new Active Directory user account using Active Directory Users and Computers you'll find that by default you have to set a password because of the domain's password policy.

This is as you would expect


However there are other ways to create user accounts including the .NET account management classes -for example:

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, Environment.UserDomainName))
{
    using (UserPrincipal user = new UserPrincipal(context, "NewAccount", String.Empty, true))
    {
        user.Save();
    }
}

These classes allow you to ignore the password policy and set a blank password. It does this by helpfully setting the PASSWD_NOTREQD flag in the userAccountControl attribute documented here

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

The problem with this is that this user can be forced to set a password but can now reset to a blank password. Even worse you can do this 




This cannot be seen in the normal tools but you can see it in the net use command, ADSIEdit.msc and PowerShell.




The PowerShell cmdlets are discussed in this blog
https://itfordummies.net/2017/08/28/active-directory-password-not-required/


Comments

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Windows Server 2019 desktop icons such as My Computer, Windows cannot access the specified device, path, or file.