Active Directory user accounts can have a blank password and ignore the password policy if the The PASSWD_NOTREQD userAccountControl bit is set
When you create a new Active Directory user account using Active Directory Users and Computers you'll find that by default you have to set a password because of the domain's password policy.
This is as you would expect
However there are other ways to create user accounts including the .NET account management classes -for example:
using
(PrincipalContext context = new PrincipalContext(ContextType.Domain, Environment.UserDomainName))
{
using (UserPrincipal user = new UserPrincipal(context, "NewAccount", String.Empty,
true))
{
user.Save();
}
}
These classes allow you to ignore the password policy and set a blank password. It does this by helpfully setting the PASSWD_NOTREQD flag in the userAccountControl attribute documented here
The problem with this is that this user can be forced to set a password but can now reset to a blank password. Even worse you can do this
The PowerShell cmdlets are discussed in this blog
https://itfordummies.net/2017/08/28/active-directory-password-not-required/
Comments
Post a Comment