Re: [ActiveDir] Strange password issue

[Paul Williams]

No worries. It'sa big thread 
that has spawned serveral different threads of discussion.


--Paul

  - Original Message - 
  From: 
  Akomolafe, 
  Deji 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 5:32 
  PM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  
  OK. The account under 
  discussion is "512". Had to refresh my brains because I just took your 1-4 
  bullet points and said, uh-uh, there is a way to have an enabled password-less 
  account. Granted it won't be "512" and will be useless, it is still 
  enabled.
  
  Sorry, Paul.
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Fri 9/15/2006 7:52 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The account is currently 512... You can't get there with 
  a blank password without 1-4.
  
   joe
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
  DejiSent: Thursday, September 14, 2006 11:52 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  I think you are missing 
  5.
  
  5. The account was created 
  programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then 
  someone programmatically set UAC to 544 or went into ADUC and manually enabled 
  the account.
  
  It's a feasible scenario, 
no?
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Thu 9/14/2006 5:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The secret is you cannot ENABLE an account with no 
  password if you have a password length policy and the PWD_NOT_REQD flag isn't 
  set. So if you have an account that is created which by default (i.e. no UAC 
  specified)will be 546. If you specify 544 it will still create and it 
  will allow a blank password. 
  
  If you have an account with 546 (disables, pwdnotrqed) 
  you can clear the pwdnotreqd fine. However when you go to enable the account, 
  you will get busted for not following policy. The Extended Error (-exterr with 
  admod) is
  
  DN: 
  CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 
  (53) - Unwilling To PerformExtended Error: 052D: SvcErr: 
  DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  Which is 
  
  F:\DEV\cpp\AdModerr 52d# for 
  hex 0x52d / decimal 1325 : 
  ERROR_PASSWORD_RESTRICTION 
  winerror.h# Unable to update the password. The value provided for the# 
  new password does not meet the length, complexity, or# history requirement 
  of the domain.# 1 matches found for "52d"
  
  
  A blank password does not have a hash, the system knows 
  it is blank. 
  
  You will obviously hit the same problem if you have an 
  enabled account with pwd_not_reqd and try to clear the 
  pwd_not_reqd.
  
  So current or past setting of UAC has no bearing on this 
  problem. 
  
  
  
  This could occur infour ways that I can think of 
  (in order of likelihood) and speak about
  
  1. Someone relaxed the policy while the password was set 
  or when the account was being enabled / having pwd_not_reqd 
  cleared
  
  2. The Domain Password Policy isn't or at least wasn't 
  getting applied to one or more domain controllers for some reason. Check 
  minPwdLength on the NC Head objects of all DCs in the 
  domain
  
  3. A blank password hash was forced into the attribute of 
  an already enabled account through some form of LSASS process injection. 
  
  
  4. The raw DIT was modified. 
  
  
   joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  PWD_NOT_REQ is 
  32.
  
  You can create an 
  account with this set and bypass the need to set a password (ADSI does this 
  automatically if you don’t set a password when you create an enabled user 
  without a password), but you can’t set it back to 512 (normal) when it’s 
  blank, like Al says:
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
  samaccountname::test-user

Re: [ActiveDir] Strange password issue

[Paul Williams]

Not really, as it's now 512 and can't get 
to that state without a password meeting complexity.


--Paul

  - Original Message - 
  From: 
  Akomolafe, 
  Deji 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 4:52 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  
  I think you are missing 
  5.
  
  5. The account was created 
  programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then 
  someone programmatically set UAC to 544 or went into ADUC and manually enabled 
  the account.
  
  It's a feasible scenario, 
no?
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Thu 9/14/2006 5:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The secret is you cannot ENABLE an account with no 
  password if you have a password length policy and the PWD_NOT_REQD flag isn't 
  set. So if you have an account that is created which by default (i.e. no UAC 
  specified)will be 546. If you specify 544 it will still create and it 
  will allow a blank password. 
  
  If you have an account with 546 (disables, pwdnotrqed) 
  you can clear the pwdnotreqd fine. However when you go to enable the account, 
  you will get busted for not following policy. The Extended Error (-exterr with 
  admod) is
  
  DN: 
  CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 
  (53) - Unwilling To PerformExtended Error: 052D: SvcErr: 
  DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  Which is 
  
  F:\DEV\cpp\AdModerr 52d# for 
  hex 0x52d / decimal 1325 : 
  ERROR_PASSWORD_RESTRICTION 
  winerror.h# Unable to update the password. The value provided for the# 
  new password does not meet the length, complexity, or# history requirement 
  of the domain.# 1 matches found for "52d"
  
  
  A blank password does not have a hash, the system knows 
  it is blank. 
  
  You will obviously hit the same problem if you have an 
  enabled account with pwd_not_reqd and try to clear the 
  pwd_not_reqd.
  
  So current or past setting of UAC has no bearing on this 
  problem. 
  
  
  
  This could occur infour ways that I can think of 
  (in order of likelihood) and speak about
  
  1. Someone relaxed the policy while the password was set 
  or when the account was being enabled / having pwd_not_reqd 
  cleared
  
  2. The Domain Password Policy isn't or at least wasn't 
  getting applied to one or more domain controllers for some reason. Check 
  minPwdLength on the NC Head objects of all DCs in the 
  domain
  
  3. A blank password hash was forced into the attribute of 
  an already enabled account through some form of LSASS process injection. 
  
  
  4. The raw DIT was modified. 
  
  
   joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  PWD_NOT_REQ is 
  32.
  
  You can create an 
  account with this set and bypass the need to set a password (ADSI does this 
  automatically if you don’t set a password when you create an enabled user 
  without a password), but you can’t set it back to 512 (normal) when it’s 
  blank, like Al says:
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
  samaccountname::test-user useraccountcontrol::544 -unsafe 
  -add
  
  AdMod 
  V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
  2005
  
  DN Count: 
  1
  Using 
  server: connoa-dc-01.connoa.concorp.contoso.com
  Adding 
  specified objects...
   
  DN: 
  cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...
  
  The command 
  completed successfully
  
  
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" 
  useraccountcontrol::512 -unsafe
  
  AdMod 
  V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
  2005
  
  DN Count: 
  1
  Using 
  server: connoa-dc-01.connoa.concorp.contoso.com
  Modifying 
  specified objects...
   
  DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: 
  [connoa-dc-01.conn
  oa.concorp.contoso.com] 
  Error 0x35 (53) - Unwilling To Perform
  
  
  ERROR: Too 
  many errors encountered, terminating...
  
  The command 
  did not complete successfully
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al 
  MulnickSent: 06 September 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
  issue
  
  From what I recall, if t

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

Paul, did you try this?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

Not really, as it's now 512 and can't get to that state without a password meeting complexity.


--Paul

- Original Message - 
From: Akomolafe, Deji 
To: ActiveDir@mail.activedir.org 
Sent: Friday, September 15, 2006 4:52 AM
Subject: RE: [ActiveDir] Strange password issue


I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not complete successfully


--Paul






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to c

RE: [ActiveDir] Strange password issue

[joe]

The account is currently 512... You can't get there with a 
blank password without 1-4.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Thursday, September 14, 2006 11:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


I think you are missing 
5.

5. The account was created programmatically 
disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone 
programmatically set UAC to 544 or went into ADUC and manually enabled the 
account.

It's a feasible scenario, no?



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: joeSent: Thu 9/14/2006 5:25 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Strange password issue

The secret is you cannot ENABLE an account with no password 
if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if 
you have an account that is created which by default (i.e. no UAC 
specified)will be 546. If you specify 544 it will still create and it will 
allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you 
can clear the pwdnotreqd fine. However when you go to enable the account, you 
will get busted for not following policy. The Extended Error (-exterr with 
admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: 
[r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 
052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 
0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 
1325 : 
ERROR_PASSWORD_RESTRICTION 
winerror.h# Unable to update the password. The value provided for the# 
new password does not meet the length, complexity, or# history requirement 
of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it 
is blank. 

You will obviously hit the same problem if you have an 
enabled account with pwd_not_reqd and try to clear the 
pwd_not_reqd.

So current or past setting of UAC has no bearing on this 
problem. 



This could occur infour ways that I can think of (in 
order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or 
when the account was being enabled / having pwd_not_reqd 
cleared

2. The Domain Password Policy isn't or at least wasn't 
getting applied to one or more domain controllers for some reason. Check 
minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of 
an already enabled account through some form of LSASS process injection. 


4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


PWD_NOT_REQ is 
32.

You can create an 
account with this set and bypass the need to set a password (ADSI does this 
automatically if you dont set a password when you create an enabled user 
without a password), but you cant set it back to 512 (normal) when its blank, 
like Al says:

C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
samaccountname::test-user useraccountcontrol::544 -unsafe 
-add

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Adding 
specified objects...
 
DN: 
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command 
completed successfully



C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 
-unsafe

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Modifying 
specified objects...
 
DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: 
[connoa-dc-01.conn
oa.concorp.contoso.com] 
Error 0x35 (53) - Unwilling To Perform


ERROR: Too 
many errors encountered, terminating...

The command 
did not complete successfully


--Paul






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
issue

From what I recall, if the password is 
not required, then there's no need to check the minimum length. Since it 
would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at 
the moment. I'll take your word that the password not r

RE: [ActiveDir] Strange password issue

[joe]

Hell I posted it in the post I wrote Deji, take a 
peek...



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Friday, September 15, 2006 10:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


Paul, did you try 
this?



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: Paul WilliamsSent: Fri 
9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Strange password issue

Not really, as it's now 512 and can't get 
to that state without a password meeting complexity.


--Paul

  - Original Message - 
  From: 
  Akomolafe, Deji 
  To: ActiveDir@mail.activedir.org 
  Sent: Friday, September 15, 2006 4:52 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  
  I think you are missing 
  5.
  
  5. The account was created 
  programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then 
  someone programmatically set UAC to 544 or went into ADUC and manually enabled 
  the account.
  
  It's a feasible scenario, 
no?
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Thu 9/14/2006 5:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The secret is you cannot ENABLE an account with no 
  password if you have a password length policy and the PWD_NOT_REQD flag isn't 
  set. So if you have an account that is created which by default (i.e. no UAC 
  specified)will be 546. If you specify 544 it will still create and it 
  will allow a blank password. 
  
  If you have an account with 546 (disables, pwdnotrqed) 
  you can clear the pwdnotreqd fine. However when you go to enable the account, 
  you will get busted for not following policy. The Extended Error (-exterr with 
  admod) is
  
  DN: 
  CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 
  (53) - Unwilling To PerformExtended Error: 052D: SvcErr: 
  DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  Which is 
  
  F:\DEV\cpp\AdModerr 52d# for 
  hex 0x52d / decimal 1325 : 
  ERROR_PASSWORD_RESTRICTION 
  winerror.h# Unable to update the password. The value provided for the# 
  new password does not meet the length, complexity, or# history requirement 
  of the domain.# 1 matches found for "52d"
  
  
  A blank password does not have a hash, the system knows 
  it is blank. 
  
  You will obviously hit the same problem if you have an 
  enabled account with pwd_not_reqd and try to clear the 
  pwd_not_reqd.
  
  So current or past setting of UAC has no bearing on this 
  problem. 
  
  
  
  This could occur infour ways that I can think of 
  (in order of likelihood) and speak about
  
  1. Someone relaxed the policy while the password was set 
  or when the account was being enabled / having pwd_not_reqd 
  cleared
  
  2. The Domain Password Policy isn't or at least wasn't 
  getting applied to one or more domain controllers for some reason. Check 
  minPwdLength on the NC Head objects of all DCs in the 
  domain
  
  3. A blank password hash was forced into the attribute of 
  an already enabled account through some form of LSASS process injection. 
  
  
  4. The raw DIT was modified. 
  
  
   joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  PWD_NOT_REQ is 
  32.
  
  You can create an 
  account with this set and bypass the need to set a password (ADSI does this 
  automatically if you dont set a password when you create an enabled user 
  without a password), but you cant set it back to 512 (normal) when its 
  blank, like Al says:
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
  samaccountname::test-user useraccountcontrol::544 -unsafe 
  -add
  
  AdMod 
  V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
  2005
  
  DN Count: 
  1
  Using 
  server: connoa-dc-01.connoa.concorp.contoso.com
  Adding 
  specified objects...
   
  DN: 
  cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...
  
  The command 
  completed successfully
  
  
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled.

Sorry, Paul.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The account is currently 512... You can't get there with a blank password without 1-4.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many e

RE: [ActiveDir] Strange password issue

[joe]

The secret is you cannot ENABLE an account with no password 
if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if 
you have an account that is created which by default (i.e. no UAC 
specified)will be 546. If you specify 544 it will still create and it will 
allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you 
can clear the pwdnotreqd fine. However when you go to enable the account, you 
will get busted for not following policy. The Extended Error (-exterr with 
admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: 
[r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 
052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 
0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 
1325 : 
ERROR_PASSWORD_RESTRICTION 
winerror.h# Unable to update the password. The value provided for the# 
new password does not meet the length, complexity, or# history requirement 
of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it 
is blank. 

You will obviously hit the same problem if you have an 
enabled account with pwd_not_reqd and try to clear the 
pwd_not_reqd.

So current or past setting of UAC has no bearing on this 
problem. 



This could occur infour ways that I can think of (in 
order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or 
when the account was being enabled / having pwd_not_reqd 
cleared

2. The Domain Password Policy isn't or at least wasn't 
getting applied to one or more domain controllers for some reason. Check 
minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of 
an already enabled account through some form of LSASS process injection. 


4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


PWD_NOT_REQ is 
32.

You can create an 
account with this set and bypass the need to set a password (ADSI does this 
automatically if you dont set a password when you create an enabled user 
without a password), but you cant set it back to 512 (normal) when its blank, 
like Al says:

C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
samaccountname::test-user useraccountcontrol::544 -unsafe 
-add

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Adding 
specified objects...
 
DN: 
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command 
completed successfully



C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 
-unsafe

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Modifying 
specified objects...
 
DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: 
[connoa-dc-01.conn
oa.concorp.contoso.com] 
Error 0x35 (53) - Unwilling To Perform


ERROR: Too 
many errors encountered, terminating...

The command 
did not complete successfully


--Paul






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
issue

From what I recall, if the password is 
not required, then there's no need to check the minimum length. Since it 
would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at 
the moment. I'll take your word that the password not required is true for 
this user. If you remove that setting (i.e. require the user to have a 
password) then that password would, by policy, have to be at least 6 chars in 
length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password length- 
6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log in 
with no password.

I confirmed.

The userAccountControl attribute of the user object was 
set to 512(not that i'm certain if setting the passwd_notreqd overrides the 
DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] 
 wrote: 



Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply regardless; 
domain account policies don't apply to local accounts. Is this a local account 

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not complete successfully


--Paul






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote:


This is a domain account.



To rehash-



The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my a

Re: [ActiveDir] Strange password issue

[Paul Williams]

Have you actually seen this 
behaviour? As it was my understanding that this particular policy is 
processed by SCE outside of normal policy application (by the PDCe - I can't 
remember how often, 60 minutes comes to mind but I don't know why). I've 
tried to document this here:
-- http://www.msresource.net/content/view/36/46/


--Paul

  - Original Message - 
  From: 
  Passo, 
  Larry 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Sunday, September 10, 2006 3:19 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  If 
  the Domain Controllers OU is set to block GPO inheritance, and the domain GPO 
  that sets the password policy isn't set for No Override, then the domain 
  policies might not get set properly.
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 
Friday, September 08, 2006 1:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue
err, actually the password policy is stored in the 
machine portion of the GPO and thus applies to all machines and therefore 
all local user objects too.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: 06 September 2006 17:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue

Impossible/irrelevant.If it's a domain account, the policy 
applies regardless, because the account is stored in AD. If it's a local 
account, then the policy doesn't apply regardless; domain account policies 
don't apply to local accounts. Is this a local account or a domain 
account?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  If you mean before the policy was set up, then, no.
  This policy has been in effect for acouple ofyears and 
  the account was created a month ago..
  
  Maybe the PC is not getting the Default Domain Policy?
  
  
  On 9/6/06, Williams, Robert [EMAIL PROTECTED] 
  wrote: 
  



Tom,

This is just a 
stab in the dark but is it possible that this user's password was set 
prior to the Default Domain Policy being in effect? 

Robert 
Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
9:39 AMTo: 
activedirectorySubject: [ActiveDir] Strange 
password issue



I'm 
having this weird issue where I have a user account who is able to 
log in with a blank password.

The 
Default Domain Policy is set to a min password length of 6 
characters.

The 
userAccountControl on the user is set to 512.



The 
Domain is at win2k3 DFL and FFL.



Is 
there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank 
passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail 
message and any attachments may be privileged and confidential. If the 
reader of this message is not the intended recipient or an agent 
responsible for delivering it to the intended recipient, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify the sender immediately by replying 
to this e-mail and delete the message and any attachments from your 
computer. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1

Re: [ActiveDir] Strange password issue

[support]

My understanding was that the Password Policies are 
applied similarly to any other Group Policy. I do recall doing some testing some 
time ago where by using various security filtering on Group PoliciesI was 
able to set up two DC's with two different effective policies and so two 
different values for Password length.

The thing to remember is that domainpassword 
changes etc are processed by a domain controller. You therefore need to check 
whether the Password policy is being applied to all of the domain controllers. 
As Larry said, if there is blocking on the OU for Domain Controllers and the 
Default Domain Policy does not have "No Override" then the DC will not get the 
policy. Similarly, it is possible that security filtering has been applied to 
the Default Domain Policy that stops it from getting applied etc. However these 
things would be "permanent" so you would still have a DC with the Policy not 
applied.

However, my guess is that something was wrong a 
month ago on a Domain Controller which processed the Passwordreset. It is 
possible that it is still a problem (i.e. if blocking was the culprit), but it 
is more likely to have cleared up. Is it possible that there was a DC added 
briefly at the time that was not processing Policies for some 
reason?

Is it feasible to check all of the event logs on 
all DC's at the time the password was created? It may show Group Policy 
Processing errorsat the time.

Alan 
CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- 
Original Message - 

  From: 
  Paul Williams 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, September 11, 2006 7:06 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  
  Have you actually seen this 
  behaviour? As it was my understanding that this particular policy is 
  processed by SCE outside of normal policy application (by the PDCe - I can't 
  remember how often, 60 minutes comes to mind but I don't know why). I've 
  tried to document this here:
  -- http://www.msresource.net/content/view/36/46/
  
  
  --Paul
  
- Original Message - 
From: 
Passo, 
Larry 
To: ActiveDir@mail.activedir.org 

Sent: Sunday, September 10, 2006 3:19 
    AM
Subject: RE: [ActiveDir] Strange 
password issue

If 
the Domain Controllers OU is set to block GPO inheritance, and the domain 
GPO that sets the password policy isn't set for No Override, then the domain 
policies might not get set properly.

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 
  Friday, September 08, 2006 1:16 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  err, actually the password policy is stored in the 
  machine portion of the GPO and thus applies to all machines and therefore 
  all local user objects too.
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
  RobinsonSent: 06 September 2006 17:27To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  Impossible/irrelevant.If it's a domain account, the policy 
  applies regardless, because the account is stored in AD. If it's a local 
  account, then the policy doesn't apply regardless; domain account policies 
  don't apply to local accounts. Is this a local account or a domain 
  account?
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, September 06, 2006 11:44 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: 
    [ActiveDir] Strange password issue

If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and 
the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED] 
wrote: 

  
  
  
  Tom,
  
  This is just 
  a stab in the dark but is it possible that this user's password was 
  set prior to the Default Domain Policy being in effect? 
  
  
  Robert 
  Williams
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 
  2006 9:39 AMTo: 
  activedirectorySubject: [ActiveDir] Strange 
  password issue
  
  

Re: [ActiveDir] Strange password issue

[Al Mulnick]

Can you re-enable the source and see if it allows you to logon with the blank password? Based on the description, I doubt it, but it would be interesting to see. Since the user logged on with the old password for a month prior to having this happen, then something else outside the process(?) occurred that caused the blank password. In line with the rest of the questions to date, what was the last modification date of the domain password policy? 
I realize there's a lot of speculation that could go on. But I am curious how the user's password got set to be nothing - especially since it was after the migration had already set it properly. What other processes can touch and modify the user objects? Any IdM products in use? 
Have you confirmed that the password is blank personally? Or was that done via some other team member? Al On 9/7/06, Tom Kern 
[EMAIL PROTECTED] wrote:Sorry, I was distracted by other stuff here.



We are in a migration state with 2 Forests.
Source forest is win2k native and target forest is win2k3 FFL/DFL.
Both Forests have same password policy

Using Quest AD Migration Manager.

The user was created in the source and then migrated about a month ago.

The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff).
Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week whenthe system would no longer accept his password and then he tried the null password route and it worked.

Then, i tried logging in as that user with a null password and confirmed it.

When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set.

When I looked in the history in the Quest console, I saw the user was migrated with copy password set to true.


A seperate provisioning group creates users. They have been delegated that right through AD.
We only have 2 EA/DA's here and i'm one of them.
I delegated the Quest util to allow this same group to migrate users.
Once migrated, the user can no longer log into the source forest.
We have no other directory servers.
At the moment,users can only change their passwords when they expire and windows prompts them.
The Change Password button on the gina has been disabled via GPO.


This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables.
Thanks for all your help and interest,guys.




On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:



I saw it this morning. Not sure if it was last night, today, yesterday...

curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. 

Tom, how about some more details? 

What clued you into the user having a blank password? 
What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? 

I think some history of the issue and how the user came to be configured this way is needed. 
Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? 


Al

On 9/7/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote: 



Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.

BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)

 

Thanks,

Laura



From: [EMAIL PROTECTED] [mailto:

 [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue




But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. 


p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.


--Paul

- Original Message - 

From: 
[EMAIL PROTECTED] 
To: 
ActiveDir@mail.activedir.org 

Sent: Thursday, September 07, 2006 11:35 AM

Subject: RE: [ActiveDir] Strange password issue


UAC bitmask is 32. A normal user then gets UAC = 544. 
Try doing a ldap query for ((objectClas

Re: [ActiveDir] Strange password issue

[Paul Williams]

The only way that I'm aware of where you 
can have different lengths (without your own filters, etc.) is if you deny the 
domain controllers from reading the necessary attributes on the NC head. 
By doing this, and then having multiple policies, I believe you can achieve what 
you are talking about. I've not tested this - I'm basing this on a 
conversation I had with someone who has tested this (Mr. Wells) -although we had 
had a lot to drink at the time, and I might have got things muddled up (very 
possible).

Under those circumstances, I assume the 
values defined in the GPO work. It seems to be that the DCs favour the 
values on the NC head. The values on the NC head are written by the PDCe 
-that reads the domain polcies and applies the values to the 
domain.

I haven't got round to getting my source 
access sorted yet, so can't verify. Hopefully someone with access to the 
code can chip in here.

I'm not disputing what you're saying re. 
blocking. That will probably stop the PDCe applying this. However, I 
don't think the other DCs process this in the same way. Unless there's a 
fall back, and you're achieving that via specific filtering, e.g. DC computer 
objects or custom groups, i.e. some DCs getting one, and others getting 
another...

Interesting. I'll have to try and 
repro (which is going to take some time with the current work 
load).


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, September 11, 2006 3:02 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  
  
  My understanding was that the Password Policies 
  are applied similarly to any other Group Policy. I do recall doing some 
  testing some time ago where by using various security filtering on Group 
  PoliciesI was able to set up two DC's with two different effective 
  policies and so two different values for Password length.
  
  The thing to remember is that 
  domainpassword changes etc are processed by a domain controller. You 
  therefore need to check whether the Password policy is being applied to all of 
  the domain controllers. As Larry said, if there is blocking on the OU for 
  Domain Controllers and the Default Domain Policy does not have "No Override" 
  then the DC will not get the policy. Similarly, it is possible that security 
  filtering has been applied to the Default Domain Policy that stops it from 
  getting applied etc. However these things would be "permanent" so you would 
  still have a DC with the Policy not applied.
  
  However, my guess is that something was wrong a 
  month ago on a Domain Controller which processed the Passwordreset. It 
  is possible that it is still a problem (i.e. if blocking was the culprit), but 
  it is more likely to have cleared up. Is it possible that there was a DC added 
  briefly at the time that was not processing Policies for some 
  reason?
  
  Is it feasible to check all of the event logs on 
  all DC's at the time the password was created? It may show Group Policy 
  Processing errorsat the 
time.
  
  Alan CuthbertsonPolicy Management 
  Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- 
  Original Message - 
  
From: 
Paul Williams 
To: ActiveDir@mail.activedir.org 

Sent: Monday, September 11, 2006 7:06 
    PM
Subject: Re: [ActiveDir] Strange 
password issue

Have you actually seen this 
behaviour? As it was my understanding that this particular policy is 
processed by SCE outside of normal policy application (by the PDCe - I can't 
remember how often, 60 minutes comes to mind but I don't know why). 
I've tried to document this here:
-- http://www.msresource.net/content/view/36/46/


--Paul

  - Original Message - 
  From: 
  Passo, Larry 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Sunday, September 10, 2006 3:19 
  AM
  Subject: RE: [ActiveDir] Strange 
  password issue
  
  If the Domain Controllers OU is set to block GPO inheritance, and 
  the domain GPO that sets the password policy isn't set for No Override, 
  then the domain policies might not get set properly.
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 
Friday, September 08, 2006 1:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
    password issue
err, actually the password policy is stored in the 
machine portion of the GPO and thus applies to all machines and 
therefore all local user objects too.

neil


From: [EMAIL PROTECTED] 
[mai

RE: [ActiveDir] Strange password issue

[Passo, Larry]

If the 
Domain Controllers OU is set to block GPO inheritance, and the domain GPO that 
sets the password policy isn't set for No Override, then the domain policies 
might not get set properly.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  err, actually the password policy is stored in the 
  machine portion of the GPO and thus applies to all machines and therefore all 
  local user objects too.
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
  RobinsonSent: 06 September 2006 17:27To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  Impossible/irrelevant.If it's a domain account, the policy 
  applies regardless, because the account is stored in AD. If it's a local 
  account, then the policy doesn't apply regardless; domain account policies 
  don't apply to local accounts. Is this a local account or a domain 
  account?
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the 
account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, 
Robert [EMAIL PROTECTED] 
wrote: 

  
  
  
  Tom,
  
  This is just a 
  stab in the dark but is it possible that this user's password was set 
  prior to the Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
  9:39 AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm 
  having this weird issue where I have a user account who is able to 
  log in with a blank password.
  
  The 
  Default Domain Policy is set to a min password length of 6 
  characters.
  
  The 
  userAccountControl on the user is set to 512.
  
  
  
  The 
  Domain is at win2k3 DFL and FFL.
  
  
  
  Is 
  there any other way besides a migration tool like Quest that could 
  circumvent this policy and allow blank passwords?
  
  
  
  
  Thanks
  2006-09-06, 11:32:05The information contained in this e-mail 
  message and any attachments may be privileged and confidential. If the 
  reader of this message is not the intended recipient or an agent 
  responsible for delivering it to the intended recipient, you are hereby 
  notified that any review, dissemination, distribution or copying of this 
  communication is strictly prohibited. If you have received this 
  communication in error, please notify the sender immediately by replying 
  to this e-mail and delete the message and any attachments from your 
  computer. 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 

RE: [ActiveDir] Strange password issue

[albertduro]

If it's a local account, then the policy doesn't apply regardless;
domain account policies don't apply to local accounts.

maybe I misundarstand what you're saying, but this is not my experience.
More than once I've yanked a workstation from the domain and tried to
apply a less restricted password to a local account, and I couldn't --
the domain policy persisted tyrannically.




From: Laura A. Robinson [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 06, 2006 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue


Impossible/irrelevant. If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account
policies don't apply to local accounts. Is this a local account or a
domain account?
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..
 
Maybe the PC is not getting the Default Domain Policy?
 


 
On 9/6/06, Williams, Robert
[EMAIL PROTECTED] wrote: 

Tom,

 

This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain
Policy being in effect? 

Robert Williams



From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue

 

I'm having this weird  issue where I have a user
account who is able to log in with a blank password.

The Default Domain Policy is set to a min
password length of 6 characters.

The userAccountControl on the user is set to
512.

 

The Domain is at win2k3 DFL and FFL.

 

Is there any other way besides a migration tool
like Quest that could circumvent this policy and allow blank passwords?

 

Thanks

2006-09-06, 11:32:05
The information contained in this e-mail message
and any attachments may be privileged and confidential. If the reader of
this message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
any review, dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this e-mail
and delete the message and any attachments from your computer. 
 


winmail.dat

Re: [ActiveDir] Strange password issue

[Paul Williams]

Impossible/irrelevant. If it's a domain account, the policy applies 
regardless, because the account is stored in AD. If it's a local account, 
then the policy doesn't apply regardless; domain account policies don't 
apply to local accounts. Is this a local account or a domain account?


Any password policy, regardless as to where it is linked in the domain, will 
apply to any and all computer accounts within scope.


The domain password policy applies to all computer objects in the domain 
(within scope, i.e. not filtered).


The only thing that is special about the domain password policy (a GPO with 
account policy configured and linked to the domainDNS object) is that the 
PDCe applies the values set therein to the necessary attributes re. pwd 
policy on the domain NC head -which is why you have to link your GPO with 
the settings you want to the domain and can't link it to the DC's OU- which 
is where the DCs read that info. from.



--Paul



From: Laura A. Robinson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 06, 2006 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue


Impossible/irrelevant. If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account
policies don't apply to local accounts. Is this a local account or a
domain account?

Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?




On 9/6/06, Williams, Robert
[EMAIL PROTECTED] wrote:

Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain
Policy being in effect?

Robert Williams



From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird  issue where I have a user
account who is able to log in with a blank password.

The Default Domain Policy is set to a min
password length of 6 characters.

The userAccountControl on the user is set to
512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool
like Quest that could circumvent this policy and allow blank passwords?



Thanks

2006-09-06, 11:32:05
The information contained in this e-mail message
and any attachments may be privileged and confidential. If the reader of
this message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
any review, dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this e-mail
and delete the message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Paul Williams]

But it's possible that someone changed this policy, created the account, and 
changed it back.


I've done this myself (several times for service accounts to avoid [HP] 
protect tool's obfuscation process).


It might not even have been intentional.  One admin could have messed with 
the policy and several minutes later (that's all its going to take if you're 
in the same site as the PDCe) another admin created the user.



--Paul


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?




On 9/6/06, Williams, Robert
[EMAIL PROTECTED] wrote:

Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain
Policy being in effect?

Robert Williams



From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird  issue where I have a user
account who is able to log in with a blank password.

The Default Domain Policy is set to a min
password length of 6 characters.

The userAccountControl on the user is set to
512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool
like Quest that could circumvent this policy and allow blank passwords?



Thanks

2006-09-06, 11:32:05
The information contained in this e-mail message
and any attachments may be privileged and confidential. If the reader of
this message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
any review, dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this e-mail
and delete the message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

[neil.ruston]

err, actually the password policy is stored in the machine 
portion of the GPO and thus applies to all machines and therefore all local user 
objects too.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: 06 September 2006 17:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue

Impossible/irrelevant.If it's a domain account, the policy applies 
regardless, because the account is stored in AD. If it's a local account, then 
the policy doesn't apply regardless; domain account policies don't apply to 
local accounts. Is this a local account or a domain account?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  If you mean before the policy was set up, then, no.
  This policy has been in effect for acouple ofyears and the 
  account was created a month ago..
  
  Maybe the PC is not getting the Default Domain Policy?
  
  
  On 9/6/06, Williams, 
  Robert [EMAIL PROTECTED] 
  wrote: 
  



Tom,

This is just a stab 
in the dark but is it possible that this user's password was set prior to 
the Default Domain Policy being in effect? 

Robert 
Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
9:39 AMTo: 
activedirectorySubject: 
[ActiveDir] Strange password issue



I'm 
having this weird issue where I have a user account who is able to log 
in with a blank password.

The 
Default Domain Policy is set to a min password length of 6 
characters.

The 
userAccountControl on the user is set to 512.



The 
Domain is at win2k3 DFL and FFL.



Is 
there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail 
message and any attachments may be privileged and confidential. If the 
reader of this message is not the intended recipient or an agent responsible 
for delivering it to the intended recipient, you are hereby notified that 
any review, dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender immediately by replying to this e-mail and delete 
the message and any attachments from your computer. 
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] Strange password issue

[petter.borling]

UAC bitmask is 32. A normal user then gets UAC = 544. 

Try doing a ldap query for 
((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these 
users either with adsiedit or in a nice tool such as 
ADModify.net.

Note: if the option password not required is set. Then 
you can either have a blank password or comply with the password policy in 
defdom GPO.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


Pressed send before 
I finished typing! : (

Following on from 
the last mail

You can, however, 
modify the policy so that you can have shorter passwords, create the user, and 
then change the password policy back. Perhaps someone did 
this?

If you test this, 
when you set the policy to zero it says no password required (in the 
Window).


--Paul






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
issue

From what I recall, if the password is 
not required, then there's no need to check the minimum length. Since it 
would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at 
the moment. I'll take your word that the password not required is true for 
this user. If you remove that setting (i.e. require the user to have a 
password) then that password would, by policy, have to be at least 6 chars in 
length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password length- 
6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log in 
with no password.

I confirmed.

The userAccountControl attribute of the user object was 
set to 512(not that i'm certain if setting the passwd_notreqd overrides the 
DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] 
 wrote: 



Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply regardless; 
domain account policies don't apply to local accounts. Is this a local account 
or a domain account? 



Laura

  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of Tom Kern
  
  Sent: Wednesday, 
  September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password 
  issue


If you mean before the policy was set up, then, 
no.

This policy has been in effect for acouple 
ofyears and the account was created a month 
ago..



Maybe the PC is not getting the Default Domain 
Policy?





On 9/6/06, Williams, Robert [EMAIL PROTECTED]  
wrote: 



Tom,

This is just a stab in 
the dark but is it possible that this user's password was set prior to the 
Default Domain Policy being in effect? 

Robert 
Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 
AMTo: 
activedirectorySubject: 
[ActiveDir] Strange password issue



I'm having this weird issue where I have a user 
account who is able to log in with a blank 
password.

The Default Domain Policy is set to a min password 
length of 6 characters.

The userAccountControl on the user is set to 
512.



The Domain is at win2k3 DFL and 
FFL.



Is there any other way besides a migration tool like 
Quest that could circumvent this policy and allow blank 
passwords?




Thanks

2006-09-06, 11:32:05The information contained in 
this e-mail message and any attachments may be privileged and confidential. If 
the reader of this message is not the intended recipient or an agent responsible 
for delivering it to the intended recipient, you are hereby notified that any 
review, dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify the 
sender immediately by replying to this e-mail and delete the message and any 
attachments from your computer. 

Re: [ActiveDir] Strange password issue

[Paul Williams]

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so it 
is checking the password when you do this.

p.s. your query, while illustrating the 
point, isn't really appropriate. The following is how you should be 
looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to non-people 
objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 11:35 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  UAC bitmask is 32. A normal user then gets UAC = 544. 
  
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on these 
  users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password policy 
  in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on from 
  the last mail…
  
  You can, however, 
  modify the policy so that you can have shorter passwords, create the user, and 
  then change the password policy back. Perhaps someone did 
  this?
  
  If you test this, 
  when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al 
  MulnickSent: 06 September 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
  issue
  
  From what I recall, if the password 
  is not required, then there's no need to check the minimum length. Since 
  it would be overridden at the user object level, that does not affect the 
  domain. I don't recall the UAC bitmask, and I'm not going to figure it 
  out at the moment. I'll take your word that the password not required is 
  true for this user. If you remove that setting (i.e. require the user 
  to have a password) then that password would, by policy, have to be at least 6 
  chars in length. 
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can log in 
  with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user object 
  was set to 512(not that i'm certain if setting the passwd_notreqd overrides 
  the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]  wrote: 
  
  
  
  
  Impossible/irrelevant.If 
  it's a domain account, the policy applies regardless, because the account is 
  stored in AD. If it's a local account, then the policy doesn't apply 
  regardless; domain account policies don't apply to local accounts. Is this a 
  local account or a domain account? 
  
  
  
  Laura
  





From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
Kern

Sent: 
Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
password issue
  
  
  If you mean before the policy was set up, then, 
  no.
  
  This policy has been in effect for acouple 
  ofyears and the account was created a month 
  ago..
  
  
  
  Maybe the PC is not getting the Default Domain 
  Policy?
  
  
  
  
  
  On 9/6/06, Williams, Robert [EMAIL PROTECTED]  
  wrote: 
  
  
  
  Tom,
  
  This is just a stab 
  in the dark but is it possible that this user's password was set prior to the 
  Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 
  AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm having this weird issue where I have a user 
  account who is able to log in with a blank 
  password.
  
  The Default Domain Policy is set to a min password 
  length of 6 characters.
  
  The userAccountControl on the user is set to 
  512

RE: [ActiveDir] Strange password issue

[Almeida Pinto, Jorge de]

Yes, there is.
 
The password policy is checked as soon as the password entered (using 
characters) is written into the directory, whether it is a new password or a 
changed password.
If a password hash is written into the directory the system cannot check if the 
password that generated the hash meets the password policy or not. Migration 
tools like ADMT and Quest DMW migrate passwords by migrating the hash and not 
the actual password. For those accounts that were migrated, the password policy 
comes into effect as soon as the user is forced to change the password, but 
until that time
 
You mention Quest's migration tool. Are you saying the user was migrated from 
another forest/domain outside the existing forest and where it was created 
using ADUC?
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Wed 2006-09-06 16:38
To: activedirectory
Subject: [ActiveDir] Strange password issue


I'm having this weird  issue where I have a user account who is able to log in 
with a blank password.
The Default Domain Policy is set to a min password length of 6 characters.
The userAccountControl on the user is set to 512.
 
The Domain is at win2k3 DFL and FFL.
 
Is there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?
 
Thanks


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

Re: [ActiveDir] Strange password issue

[AFidel]

This brings up a very good point, HOW
is it checking the password length? As we pointed out earlier once the
hash is created there should not be a way to easily check the password
length.

Andrew Fidel





Paul Williams
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
Re: [ActiveDir] Strange password
issue








But you cannot set UAC to 512 if the password
is blank, as it doesn't comply with the password policy. Try it.
The other half of my post shows the error. I also tried it
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although
less specific) and it said it wasn't compliant with the security policy,
so it is checking the password when you do this.

p.s. your query, while illustrating the
point, isn't really appropriate. The following is how you should
be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass
isn't indexed and although UAC is, this also applies to non-people objects,
e.g. computers.


--Paul
- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org

Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user
then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544))

You could then modify the attribute
to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not
required is set. Then you can either have a blank password or comply with
the password policy in defdom GPO.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue

Pressed send before I finished
typing! : (

Following on from the last
mail

You can, however, modify
the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?

If you test this, when you
set the policy to zero it says no password required (in the Window).


--Paul





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue

From what I recall, if the
password is not required, then there's no need to check the minimum length.
Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true
for this user. 

If you remove that setting (i.e. require the user to have a password) then
that password would, by policy, have to be at least 6 chars in length.



On 9/6/06, Tom Kern [EMAIL PROTECTED]
wrote:
This is a domain account.

To rehash-

The Default Domain Policy is set
to min password length- 6 charcters.
This was created 2 years ago and
never changed.
User account is a domain account
created a month ago.
It was bought to my attention that
the user can log in with no password.
I confirmed.
The userAccountControl attribute
of the user object was set to 512(not that i'm certain if setting the passwd_notreqd
overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks


 
On 9/6/06, Laura A. Robinson
[EMAIL PROTECTED]
 wrote: 
Impossible/irrelevant. If it's
a domain account, the policy applies regardless, because the account is
stored in AD. If it's a local account, then the policy doesn't apply regardless;
domain account policies don't apply to local accounts. Is this a local
account or a domain account? 

Laura




From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September
06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue

 
If you mean before the policy was
set up, then, no.
This policy has been in effect
for a couple of years and the account was created a month ago..

Maybe the PC is not getting the
Default Domain Policy?



 
On 9/6/06, Williams, Robert
[EMAIL PROTECTED]
 wrote: 
Tom,

This is just a stab in the dark
but is it possible that this user's password was set prior to the Default
Domain Policy being in effect? 
Robert Williams



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue

I'm having this weird issue
where I have a user account who is able to log in with a blank password.
The Default Domain Policy is set
to a min password length of 6 characters.
The userAccountControl on the user
is set to 512.

The Domain is at win2k3 DFL and
FFL.

Is there any other way besides a
migration

Re: [ActiveDir] Strange password issue

[Paul Williams]

Does it have a hash though? There's 
no password. It's null.

I don't know the answer to that. It 
could, I suppose, pad it out but...who knows?


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Cc: ActiveDir@mail.activedir.org ; 
  [EMAIL PROTECTED] 
  
  Sent: Thursday, September 07, 2006 3:10 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  This brings up a very good 
  point, HOW is it checking the password length? As we pointed out earlier once 
  the hash is created there should not be a way to easily check the password 
  length. Andrew Fidel 
  
  


  "Paul Williams" [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

09/07/2006 07:35 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 

  

  cc

  

  Subject
        Re: [ActiveDir] 
      Strange password issue

  
  

But you cannot set UAC to 512 if the password is blank, 
  as it doesn't comply with the password policy. Try it. The other 
  half of my post shows the error. I also tried it through the GUI 
  (ADSIEDIT gives errors that are easier on the eyes, although less specific) 
  and it said it wasn't compliant with the security policy, so it is checking 
  the password when you do this.  p.s. your query, while illustrating the point, isn't 
  really appropriate. The following is how you should be looking for 
  people with this bit set.  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) 
Remember, unless you've made it so, objectClass isn't 
  indexed and although UAC is, this also applies to non-people objects, e.g. 
  computers.   --Paul - Original Message - From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, September 07, 2006 11:35 
  AM Subject: RE: [ActiveDir] Strange password 
  issue UAC bitmask is 32. A 
  normal user then gets UAC = 544. Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users 
  either with adsiedit or in a nice tool such as ADModify.net.  Note: if the 
  option password not required is set. Then you can either have a blank password 
  or comply with the password policy in defdom GPO.  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issuePressed send before I finished typing! : ( 
   Following on from the last mail… 
   You can, however, modify the policy so that 
  you can have shorter passwords, create the user, and then change the password 
  policy back. Perhaps someone did this?  If you test this, when you set the policy to zero it says no password 
  required (in the Window).   
  --Paul   
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Strange password issue  From what I 
  recall, if the password is not required, then there's no need to check the 
  minimum length. Since it would be overridden at the user object level, 
  that does not affect the domain. I don't recall the UAC bitmask, and 
  I'm not going to figure it out at the moment. I'll take your word that 
  the password not required is true for this user. If you remove that 
  setting (i.e. require the user to have a password) then that password would, 
  by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a 
  domain account.  
  To rehash-  The Default Domain Policy is set to min password length- 6 
  charcters. This was created 2 
  years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can 
  log in with no password. I 
  confirmed. The 
  userAccountControl attribute of the user object was set to 512(not that i'm 
  certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. 
   Thanks On 9/6/06, 
  Laura A. Robinson [EMAIL PROTECTED]  wrote: Impossible/irrelevant. If it's a domain account, the policy 
  applies regardless, because the account is stored in AD. If it's a local 
  account, then the policy doesn't apply regardless; domain account policies 
  don't apply to local accounts. Is this a local account or a domain account? 
   Laura  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.org Subject: Re: [ActiveDi

RE: [ActiveDir] Strange password issue

[Laura A. Robinson]

Since 
the OP has said that the accounts' UAC flags are 512, not 544, the entire 
discussion around this is moot.

BTW, 
did anybody notice if my post about the 512/544 value hit the list yesterday? I 
don't remember seeing it and am wondering if I actually sent it. 
:-)

Thanks,

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  But you cannot set UAC to 512 if the 
  password is blank, as it doesn't comply with the password policy. Try 
  it. The other half of my post shows the error. I also tried it 
  through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
  less specific) and it said it wasn't compliant with the security policy, so it 
  is checking the password when you do this.
  
  p.s. your query, while illustrating the 
  point, isn't really appropriate. The following is how you should be 
  looking for people with this bit set.
  
  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))
  
  
  Remember, unless you've made it so, 
  objectClass isn't indexed and although UAC is, this also applies to non-people 
  objects, e.g. computers.
  
  
  --Paul
  
- Original Message - 
From: 
[EMAIL PROTECTED] 

To: ActiveDir@mail.activedir.org 

Sent: Thursday, September 07, 2006 
11:35 AM
Subject: RE: [ActiveDir] Strange 
password issue

UAC bitmask is 32. A normal user then gets UAC = 
544. 
Try doing a ldap query for 
((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these 
users either with adsiedit or in a nice tool such as 
ADModify.net.

Note: if the option password not required is set. 
Then you can either have a blank password or comply with the password policy 
in defdom GPO.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue


Pressed send 
before I finished typing! : (

Following on 
from the last mail

You can, 
however, modify the policy so that you can have shorter passwords, create 
the user, and then change the password policy back. Perhaps someone 
did this?

If you test 
this, when you set the policy to zero it says no password required (in the 
Window).


--Paul






From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 
19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

From what I recall, if the password 
is not required, then there's no need to check the minimum length. 
Since it would be overridden at the user object level, that does not affect 
the domain. I don't recall the UAC bitmask, and I'm not going to 
figure it out at the moment. I'll take your word that the password not 
required is true for this user. If you remove that setting (i.e. 
require the user to have a password) then that password would, by policy, 
have to be at least 6 chars in length. 


On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password 
length- 6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log 
in with no password.

I confirmed.

The userAccountControl attribute of the user object 
was set to 512(not that i'm certain if setting the passwd_notreqd overrides 
the DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]  wrote: 




Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply 
regardless; domain account policies don't apply to local accounts. Is this a 
local account or a domain account? 



Laura

  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  
  Sent: 
  Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
  password issue


If you mean before the policy was set up, then, 
no.

This policy has been in effect for acouple 
ofyears

RE: [ActiveDir] Strange password issue

[WATSON, BEN]

Yep, your e-mail definitely hit the list.







I'm confused as to why the 512 UAC flag is making anybody
think that passwd_notreqd is set. A setting of 512 indicates a normal account.
544 would indicate a normal account with passwd_notreqd set.





Laura





If that is the e-mail you are talking about.



~Ben







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Laura A. Robinson
Sent: Thursday, September 07, 2006 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue









Since the OP has said that the accounts' UAC flags are 512, not
544, the entire discussion around this is moot.











BTW, did anybody notice if my post about the 512/544 value hit the
list yesterday? I don't remember seeing it and am wondering if I actually sent
it. :-)











Thanks,











Laura













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue



But you cannot set UAC to 512 if the password is blank, as it
doesn't comply with the password policy. Try it. The other half of
my post shows the error. I also tried it through the GUI (ADSIEDIT gives
errors that are easier on the eyes, although less specific) and it said it wasn't
compliant with the security policy, so it is checking the password when you do
this.











p.s. your query, while illustrating the point, isn't really
appropriate. The following is how you should be looking for people with
this bit set.











((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))

















Remember, unless you've made it so, objectClass isn't indexed and
although UAC is, this also applies to non-people objects, e.g. computers.

















--Paul







-
Original Message - 





From: [EMAIL PROTECTED] 





To: ActiveDir@mail.activedir.org 





Sent: Thursday, September 07, 2006 11:35 AM





Subject: RE: [ActiveDir] Strange password
issue









UAC bitmask is 32. A normal user then gets UAC = 544. 

Try doing a ldap query for
((objectClas=user)(useraccountcontrol=544)) 

You could then modify the attribute to 512 on these users either
with adsiedit or in a nice tool such as ADModify.net.



Note: if the option password not required is set. Then you can
either have a blank password or comply with the password policy in defdom GPO.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue

Pressed send before I finished typing! : (



Following on from the last mail



You can, however, modify the policy so that you can have shorter
passwords, create the user, and then change the password policy back.
Perhaps someone did this?



If you test this, when you set the policy to zero it says no
password required (in the Window).





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue





From what
I recall, if the password is not required, then there's no need to check the
minimum length. Since it would be overridden at the user object level,
that does not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 





On 9/6/06, Tom
Kern [EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min
password length- 6 charcters.





This was created 2 years ago and never
changed.





User account is a domain account created a
month ago.





It was bought to my attention that the user
can log in with no password.





I confirmed.





The userAccountControl attribute of the
user object was set to 512(not that i'm certain if setting the passwd_notreqd
overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura
A. Robinson [EMAIL PROTECTED]
 wrote: 







Impossible/irrelevant.If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account policies
don't apply to local accounts. Is this a local account or a domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent:
Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue













If you mean before the policy was set up

Re: [ActiveDir] Strange password issue

[Paul Williams]

Yeah, I think I saw your post last 
night. Mail was taking 70 minutes to come through last night.

It's not really academic or obsolete, as 
this proves that it couldn't have been 544 and set back to 512. Which 
means that it is more than likely the password, or lack of, was set when the 
policy wasn't in place.


--Paul

  - Original Message - 
  From: 
  Laura A. Robinson 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 4:56 
  PM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  Since the OP has said that the accounts' UAC flags are 512, not 544, 
  the entire discussion around this is moot.
  
  BTW, 
  did anybody notice if my post about the 512/544 value hit the list yesterday? 
  I don't remember seeing it and am wondering if I actually sent it. 
  :-)
  
  Thanks,
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so 
it is checking the password when you do this.

p.s. your query, while illustrating 
the point, isn't really appropriate. The following is how you should 
be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to 
non-people objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 
  11:35 AM
  Subject: RE: [ActiveDir] Strange 
  password issue
  
  UAC bitmask is 32. A normal user then gets UAC = 
  544. 
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on 
  these users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password 
  policy in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on 
  from the last mail…
  
  You can, 
  however, modify the policy so that you can have shorter passwords, create 
  the user, and then change the password policy back. Perhaps someone 
  did this?
  
  If you test 
  this, when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  From what 
  I recall, if the password is not required, then there's no need to check 
  the minimum length. Since it would be overridden at the user object 
  level, that does not affect the domain. I don't recall the UAC 
  bitmask, and I'm not going to figure it out at the moment. I'll take 
  your word that the password not required is true for this user. If 
  you remove that setting (i.e. require the user to have a password) then 
  that password would, by policy, have to be at least 6 chars in length. 
  
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can 
  log in with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user 
  object was set to 512(not that i'm certain if setting the passwd_notreqd 
  overrides the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 9

Re: [ActiveDir] Strange password issue

[Al Mulnick]

I saw it this morning. Not sure if it was last night, today, yesterday...

curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. 

Tom, how about some more details? 

What clued you into the user having a blank password? 
What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? 

I think some history of the issue and how the user came to be configured this way is needed. 
Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? 

Al
On 9/7/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.

BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)


Thanks,

Laura



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue



But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this.


p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.


--Paul

- Original Message - 
From: 
[EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org
 
Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO.




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


Pressed send before I finished typing! : (

Following on from the last mail…

You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this?


If you test this, when you set the policy to zero it says no password required (in the Window).



--Paul






From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 


On 9/6/06, Tom Kern 
[EMAIL PROTECTED] wrote:


This is a domain account.



To rehash-



The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my attention that the user can log in with no password.

I confirmed.

The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).


The domain/forest is at w2k3 FL.



Thanks




On 9/6/06, Laura A. Robinson 
[EMAIL PROTECTED]  wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 




Laura







From: 
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] 
On Behalf Of Tom Kern

Sent: Wednesday, September 06, 2006 11:44 AMTo: 
ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange

Re: [ActiveDir] Strange password issue

[Tom Kern]

Sorry, I was distracted by other stuff here.


We are in a migration state with 2 Forests.
Source forest is win2k native and target forest is win2k3 FFL/DFL.
Both Forests have same password policy

Using Quest AD Migration Manager.

The user was created in the source and then migrated about a month ago.

The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff).
Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week whenthe system would no longer accept his password and then he tried the null password route and it worked.

Then, i tried logging in as that user with a null password and confirmed it.

When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set.

When I looked in the history in the Quest console, I saw the user was migrated with copy password set to true.


A seperate provisioning group creates users. They have been delegated that right through AD.
We only have 2 EA/DA's here and i'm one of them.
I delegated the Quest util to allow this same group to migrate users.
Once migrated, the user can no longer log into the source forest.
We have no other directory servers.
At the moment,users can only change their passwords when they expire and windows prompts them.
The Change Password button on the gina has been disabled via GPO.


This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables.
Thanks for all your help and interest,guys.




On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:


I saw it this morning. Not sure if it was last night, today, yesterday...

curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. 

Tom, how about some more details? 

What clued you into the user having a blank password? 
What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? 

I think some history of the issue and how the user came to be configured this way is needed. 
Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? 


Al

On 9/7/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote: 



Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot.

BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-)
 

Thanks,

Laura



From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue




But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. 


p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers.


--Paul

- Original Message - 
From: 
[EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org 

Sent: Thursday, September 07, 2006 11:35 AM
Subject: RE: [ActiveDir] Strange password issue

UAC bitmask is 32. A normal user then gets UAC = 544. 
Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) 
You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net.

Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO.
 



From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


Pressed send before I finished typing! : (

Following on from the last mail…

You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? 


If you test this, when you set the policy to zero it says no password required (in the Window).
 


--Paul






From:
 [EMAIL PROTECTED] [mailto:
 [EMAIL

RE: [ActiveDir] Strange password issue

[Williams, Robert]

Tom,



This is just a stab in the dark but is it
possible that this users password was set prior to the Default Domain
Policy being in effect?



Robert Williams











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue







I'm having this weird issue where I have a user account who is
able to log in with a blank password.





The Default Domain Policy is set to a min password length of 6
characters.





The userAccountControl on the user is set to 512.











The Domain is at win2k3 DFL and FFL.











Is there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank passwords?











Thanks






2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be privileged and confidential.  If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Strange password issue

[King, William]

The password might have been set blank
before the password policy was set.







William











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: 06 September 2006 15:39
To: activedirectory
Subject: [ActiveDir] Strange
password issue







I'm having this weird issue where I have a user account who is
able to log in with a blank password.





The Default Domain Policy is set to a min password length of 6
characters.





The userAccountControl on the user is set to 512.











The Domain is at win2k3 DFL and FFL.











Is there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank passwords?











Thanks









This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

Re: [ActiveDir] Strange password issue

[Tom Kern]

If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote:




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect?


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Strange password issue

[Laura A. Robinson]

Impossible/irrelevant.If it's a domain account, the policy applies 
regardless, because the account is stored in AD. If it's a local account, then 
the policy doesn't apply regardless; domain account policies don't apply to 
local accounts. Is this a local account or a domain account?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  If you mean before the policy was set up, then, no.
  This policy has been in effect for acouple ofyears and the 
  account was created a month ago..
  
  Maybe the PC is not getting the Default Domain Policy?
  
  
  On 9/6/06, Williams, 
  Robert [EMAIL PROTECTED] 
  wrote: 
  



Tom,

This is just a stab 
in the dark but is it possible that this user's password was set prior to 
the Default Domain Policy being in effect? 

Robert 
Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
9:39 AMTo: 
activedirectorySubject: 
[ActiveDir] Strange password issue



I'm 
having this weird issue where I have a user account who is able to log 
in with a blank password.

The 
Default Domain Policy is set to a min password length of 6 
characters.

The 
userAccountControl on the user is set to 512.



The 
Domain is at win2k3 DFL and FFL.



Is 
there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail 
message and any attachments may be privileged and confidential. If the 
reader of this message is not the intended recipient or an agent responsible 
for delivering it to the intended recipient, you are hereby notified that 
any review, dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender immediately by replying to this e-mail and delete 
the message and any attachments from your computer. 

Re: [ActiveDir] Strange password issue

[Tom Kern]

This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?


Laura




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED]
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] Strange password issue

[Laura A. Robinson]

How 
was the account created?

Thanks,

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 1:10 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  This is a domain account.
  
  To rehash-
  
  The Default Domain Policy is set to min password length- 6 
  charcters.
  This was created 2 years ago and never changed.
  User account is a domain account created a month ago.
  It was bought to my attention that the user can log in with no 
  password.
  I confirmed.
  The userAccountControl attribute of the user object was set to 512(not 
  that i'm certain if setting the passwd_notreqd overrides the DDP).
  The domain/forest is at w2k3 FL.
  
  Thanks
  
  On 9/6/06, Laura A. 
  Robinson [EMAIL PROTECTED] 
  wrote: 
  


Impossible/irrelevant.If it's a domain account, the policy 
applies regardless, because the account is stored in AD. If it's a local 
account, then the policy doesn't apply regardless; domain account policies 
don't apply to local accounts. Is this a local account or a domain account? 


Laura

  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the 
account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, 
Robert [EMAIL PROTECTED]  wrote: 

  
  
  
  Tom,
  
  This is just a 
  stab in the dark but is it possible that this user's password was set 
  prior to the Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
  9:39 AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm 
  having this weird issue where I have a user account who is able to 
  log in with a blank password.
  
  The 
  Default Domain Policy is set to a min password length of 6 
  characters.
  
  The 
  userAccountControl on the user is set to 512.
  
  
  
  The 
  Domain is at win2k3 DFL and FFL.
  
  
  
  Is 
  there any other way besides a migration tool like Quest that could 
  circumvent this policy and allow blank passwords?
  
  
  
  
  Thanks
  2006-09-06, 11:32:05The information contained in this e-mail 
  message and any attachments may be privileged and confidential. If the 
  reader of this message is not the intended recipient or an agent 
  responsible for delivering it to the intended recipient, you are hereby 
  notified that any review, dissemination, distribution or copying of this 
  communication is strictly prohibited. If you have received this 
  communication in error, please notify the sender immediately by replying 
  to this e-mail and delete the message and any attachments from your 
  computer. 

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

Re: [ActiveDir] Strange password issue

[Jason_Centenni]

Tom, I believe that the passwd_notereqd does in fact override the DDP.
   
 Jason Centenni | The Capital Group Companies | Location:  
  SNO | Extension: 44843   
   Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail:
 [EMAIL PROTECTED]  
 [ Mailing: 3500 Wiseman Blvd.  San Antonio, TX 78251-4321 
   USA ]   
   





   
 Tom Kern
 [EMAIL PROTECTED] 
   To 
   ActiveDir@mail.activedir.org
 Sent by:   cc 
 [EMAIL PROTECTED] 
 ail.activedir.org Subject 
   Re: [ActiveDir] Strange password
   issue   
 09/06/2006 12:09  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that
i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks



On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
  Impossible/irrelevant. If it's a domain account, the policy applies
  regardless, because the account is stored in AD. If it's a local account,
  then the policy doesn't apply regardless; domain account policies don't
  apply to local accounts. Is this a local account or a domain account?

  Laura


  From: [EMAIL PROTECTED] [mailto:
  [EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Wednesday, September 06, 2006 11:44 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Strange password issue


  If you mean before the policy was set up, then, no.
  This policy has been in effect for a couple of years and the account was
  created a month ago..

  Maybe the PC is not getting the Default Domain Policy?




  On 9/6/06, Williams, Robert [EMAIL PROTECTED]  wrote:
   Tom,





   This is just a stab in the dark but is it possible that this user's
   password was set prior to the Default Domain Policy being in effect?


   Robert Williams





   From: [EMAIL PROTECTED] [mailto:
   [EMAIL PROTECTED] On Behalf Of Tom Kern
   Sent: Wednesday, September 06, 2006 9:39 AM
   To: activedirectory
   Subject: [ActiveDir] Strange password issue





   I'm having this weird  issue where I have a user account who is able to
   log in with a blank password.


   The Default Domain Policy is set to a min password length of 6
   characters.


   The userAccountControl on the user is set to 512.





   The Domain is at win2k3 DFL and FFL.





   Is there any other way besides a migration tool like Quest that could
   circumvent this policy and allow blank passwords?





   Thanks


   2006-09-06, 11:32:05
   The information contained in this e-mail message and any attachments may
   be privileged and confidential. If the reader of this message is not the
   intended recipient or an agent responsible for delivering it to the
   intended recipient, you are hereby notified that any review,
   dissemination, distribution or copying of this communication is strictly
   prohibited. If you have received this communication in error, please
   notify the sender immediately by replying to this e-mail and delete the
   message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Tom Kern]

ADUC.


On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:



How was the account created?

Thanks,

Laura




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 1:10 PM
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Strange password issue



This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 


Laura




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED] 
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

Re: [ActiveDir] Strange password issue

[Al Mulnick]

>From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. 
If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, 
Tom Kern [EMAIL PROTECTED] wrote:
This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]
 wrote:



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account?


Laura




From: [EMAIL PROTECTED] [mailto:

[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert [EMAIL PROTECTED]
 wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 


Robert Williams




From: 

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 

On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectory

Subject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] Strange password issue

[Laura A. Robinson]

I'm confused as to why the 512 UAC flag is making anybody think that
passwd_notreqd is set. A setting of 512 indicates a normal account. 544
would indicate a normal account with passwd_notreqd set.

Laura

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Wednesday, September 06, 2006 2:19 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Strange password issue
 
 Tom, I believe that the passwd_notereqd does in fact override the DDP.

  Jason Centenni | The Capital Group Companies | Location:  
   SNO | Extension: 44843   
Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail:
  [EMAIL PROTECTED]  
  [ Mailing: 3500 Wiseman Blvd.  San Antonio, TX 78251-4321 
USA ]   

 
 
 
 
 
   
  
  Tom Kern   
  
  [EMAIL PROTECTED]
  
  
   To 

 ActiveDir@mail.activedir.org
  Sent by: 
   cc 
  [EMAIL PROTECTED]
  
  ail.activedir.org
  Subject 
Re: [ActiveDir] 
 Strange password
issue  
  
  09/06/2006 12:09 
  
  PM   
  
   
  
   
  
  Please respond to
  
  [EMAIL PROTECTED]
  
 tivedir.org   
  
   
  
   
  
 
 
 
 
 This is a domain account.
 
 To rehash-
 
 The Default Domain Policy is set to min password length- 6 charcters.
 This was created 2 years ago and never changed.
 User account is a domain account created a month ago.
 It was bought to my attention that the user can log in with 
 no password.
 I confirmed.
 The userAccountControl attribute of the user object was set 
 to 512(not that i'm certain if setting the passwd_notreqd 
 overrides the DDP).
 The domain/forest is at w2k3 FL.
 
 Thanks
 
 
 
 On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
   Impossible/irrelevant. If it's a domain account, the policy applies
   regardless, because the account is stored in AD. If it's a 
 local account,
   then the policy doesn't apply regardless; domain account 
 policies don't
   apply to local accounts. Is this a local account or a 
 domain account?
 
   Laura
 
 
   From: [EMAIL PROTECTED] [mailto:
   [EMAIL PROTECTED] On Behalf Of Tom Kern
   Sent: Wednesday, September 06, 2006 11:44 AM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] Strange password issue
 
 
   If you mean before the policy was set up, then, no.
   This policy has been in effect for a couple of years and 
 the account was
   created a month ago..
 
   Maybe the PC is not getting the Default Domain Policy?
 
 
 
 
   On 9/6/06, Williams, Robert 
 [EMAIL PROTECTED]  wrote:
Tom,
 
 
 
 
 
This is just a stab in the dark but is it possible that this user's
password was set prior to the Default Domain Policy being 
 in effect?
 
 
Robert Williams
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue
 
 
 
 
 
I'm having this weird  issue where I have a user account 
 who is able to
log in with a blank password.
 
 
The Default Domain Policy is set to a min password length of 6
characters.
 
 
The userAccountControl on the user is set to 512.
 
 
 
 
 
The Domain is at win2k3 DFL and FFL.
 
 
 
 
 
Is there any other way besides a migration tool like Quest 
 that could
circumvent this policy and allow blank passwords?
 
 
 
 
 
Thanks
 
 
2006-09-06, 11:32:05
The information contained in this e-mail message and any 
 attachments may
be privileged and confidential. If the reader of this 
 message is not the
intended recipient

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

If it's 512, then that pwd not req is not true.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue
From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 
On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: 


This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks


On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] Strange password issue

[Paul Williams]

PWD_NOT_REQ is 32.



You can create an
account with this set and bypass the need to set a password (ADSI does this
automatically if you dont set a password when you create an enabled user without
a password), but you cant set it back to 512 (normal) when its blank, like Al
says:



C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user
samaccountname::test-user useraccountcontrol::544 -unsafe -add



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Adding
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...



The command
completed successfully







C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512
-unsafe



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Modifying
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn

oa.concorp.contoso.com]
Error 0x35 (53) - Unwilling To Perform





ERROR: Too many
errors encountered, terminating...



The command did
not complete successfully





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] Strange password issue

[Paul Williams]

Pressed send before I
finished typing! : (



Following on from the
last mail



You can, however,
modify the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?



If you test this,
when you set the policy to zero it says no password required (in the Window).





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer.