> Scenario: A Windows domain with an n day password expiration policy > and Windows 2000 SP4 PCs with all the latest security patches. I know > that a Windows user will have to change their password today, so I > set AutoAdminLogon to 1 in their registry. When they switch off their > PC and go home I am able to log on to their PC, using their account, > but without requiring a password. > > Surely this can't be the way it's supposed to work?! I thought that > the DefaultPassword registry entry had to contain the password for > DefaultUserName before auto logon would work yet it seems to work if > DefaultPassword is missing. Can anyone else confirm this behaviour or > suggest what I may have done wrong?
Sorry for coming so late, but isn't the password stored in LSA Secrets instead ? If you used this feature before, then the password might linger there. Did you try to run LSADUMP2 ? You might see your admin password cleartext. Regards, - Nicolas RUFF
