Blank Passwords, Complex Requeirements and Problems...

Tutorials Win: Microsoft Windows Forum

Blank Passwords, Complex Requeirements and Problems...

An auditor discovered several accouns with Blank Passwords in a MultiDomain
AD structure arround the world

As far as i know, the Win2003 AD never had a "free" Default Domain Policy to
allow that, the DDP is the Default since the initial build of th AD. Ok,
let's say that an Admin disabled temporarily th DDP for a few moments and
allowed certain accouns to be created with blank passwords. Today, the DDP
is configured to allow only complex passwords.

10 accounsts in the domain (among 1.200 other accounts) were found with
blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was created
on 2004). Any other user don't have that problem, only a sequencial list of
accounts (created by script with the DSADD tool, exactly like any other
account in the domain)
Top

Re: Blank Passwords, Complex Requeirements and Problems... by Ken

Ken
Thu Mar 13 14:21:24 PDT 2008

Hello,

Are you sure that those accounts are subject to the group policy?
I recommend running a "Resultant Set of Policies" test on the user accounts
in question.
There are several reasons why a given policy will not be applied to a user
account. I would find out first if the policy is being applied to those
accounts or not. If it is not, then you need to track down why the accounts
are exempt.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"MCTS" <MCTS@MCTS.net> wrote in message
news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@microsoft.com...
> Blank Passwords, Complex Requeirements and Problems...
>
> An auditor discovered several accouns with Blank Passwords in a
> MultiDomain AD structure arround the world
>
> As far as i know, the Win2003 AD never had a "free" Default Domain Policy
> to allow that, the DDP is the Default since the initial build of th AD.
> Ok, let's say that an Admin disabled temporarily th DDP for a few moments
> and allowed certain accouns to be created with blank passwords. Today, the
> DDP is configured to allow only complex passwords.
>
> 10 accounsts in the domain (among 1.200 other accounts) were found with
> blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
> passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
> created on 2004). Any other user don't have that problem, only a
> sequencial list of accounts (created by script with the DSADD tool,
> exactly like any other account in the domain)
>
>
>
>
>


Top

Re: Blank Passwords, Complex Requeirements and Problems... by Jorge

Jorge
Sun Mar 16 14:19:23 PDT 2008

what is the userAccountControl value for those accounts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MCTS" <MCTS@MCTS.net> wrote in message
news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@microsoft.com...
> Blank Passwords, Complex Requeirements and Problems...
>
> An auditor discovered several accouns with Blank Passwords in a
> MultiDomain AD structure arround the world
>
> As far as i know, the Win2003 AD never had a "free" Default Domain Policy
> to allow that, the DDP is the Default since the initial build of th AD.
> Ok, let's say that an Admin disabled temporarily th DDP for a few moments
> and allowed certain accouns to be created with blank passwords. Today, the
> DDP is configured to allow only complex passwords.
>
> 10 accounsts in the domain (among 1.200 other accounts) were found with
> blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
> passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
> created on 2004). Any other user don't have that problem, only a
> sequencial list of accounts (created by script with the DSADD tool,
> exactly like any other account in the domain)
>
>
>
>
>

Top

Re: Blank Passwords, Complex Requeirements and Problems... by Flavio

Flavio
Mon Mar 17 05:47:57 PDT 2008

512, via AccountLocakout Tools DLL


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> escreveu na mensagem
news:OH%23gpt6hIHA.1208@TK2MSFTNGP03.phx.gbl...
> what is the userAccountControl value for those accounts?
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "MCTS" <MCTS@MCTS.net> wrote in message
> news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@microsoft.com...
>> Blank Passwords, Complex Requeirements and Problems...
>>
>> An auditor discovered several accouns with Blank Passwords in a
>> MultiDomain AD structure arround the world
>>
>> As far as i know, the Win2003 AD never had a "free" Default Domain Policy
>> to allow that, the DDP is the Default since the initial build of th AD.
>> Ok, let's say that an Admin disabled temporarily th DDP for a few moments
>> and allowed certain accouns to be created with blank passwords. Today,
>> the DDP is configured to allow only complex passwords.
>>
>> 10 accounsts in the domain (among 1.200 other accounts) were found with
>> blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
>> passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
>> created on 2004). Any other user don't have that problem, only a
>> sequencial list of accounts (created by script with the DSADD tool,
>> exactly like any other account in the domain)
>>
>>
>>
>>
>>
>

Top

Re: Blank Passwords, Complex Requeirements and Problems... by Ken

Ken
Mon Mar 17 07:24:31 PDT 2008

User Account Control set at 512 means that it is set to a pretty basic
level. This is a pretty normal setting for most user accounts.

It is enabled, it is not locked out.

These settings are NOT set:
User must change password at next logon
User cannot change password
Password never expires
Store password using reversible encryption
Smart card is required for interactive logon
Account is trusted for delegation
Account is sensitive and cannot be delegated
Use DES encryption types for this account
Do not require Kerberos preauthentication

I would again look to group policy processing. If the policy is not
restricting those accounts then you need to track down the exclusion.
Perhaps they are a member of a group that is being excluded from processing
that policy. That is just one such reason. Running the "Resultant set of
policy" wizard should be a good place to start.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Flavio Borup" <fborup@hotmail.com> wrote in message
news:2283CD29-99C1-4C0A-BBE4-13B3F58E0A57@microsoft.com...
> 512, via AccountLocakout Tools DLL
>
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> escreveu na
> mensagem news:OH%23gpt6hIHA.1208@TK2MSFTNGP03.phx.gbl...
>> what is the userAccountControl value for those accounts?
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>> "MCTS" <MCTS@MCTS.net> wrote in message
>> news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@microsoft.com...
>>> Blank Passwords, Complex Requeirements and Problems...
>>>
>>> An auditor discovered several accouns with Blank Passwords in a
>>> MultiDomain AD structure arround the world
>>>
>>> As far as i know, the Win2003 AD never had a "free" Default Domain
>>> Policy to allow that, the DDP is the Default since the initial build of
>>> th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few
>>> moments and allowed certain accouns to be created with blank passwords.
>>> Today, the DDP is configured to allow only complex passwords.
>>>
>>> 10 accounsts in the domain (among 1.200 other accounts) were found with
>>> blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
>>> passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
>>> created on 2004). Any other user don't have that problem, only a
>>> sequencial list of accounts (created by script with the DSADD tool,
>>> exactly like any other account in the domain)
>>>
>>>
>>>
>>>
>>>
>>
>


Top

Re: Blank Passwords, Complex Requeirements and Problems... by Jorge

Jorge
Tue Mar 18 08:48:31 PDT 2008

there also a "Password Not Required" bit in userAccountControl attribute.
That is why I asked....
The account would then have: 544 = normal account with "Password Not
Required" bit = on

on a DC execute: adfind -default -s base
this will query the DC to show the attribute values on the domain NC

The output should be something like: (the values with
<<<################################################## are the ones
representing the password/account lockout stuff)

-- >objectClass: domain
>objectClass: domainDNS
>distinguishedName: DC=ADCORP,DC=DEMO
>instanceType: 5
>whenCreated: 20080313145130.0Z
>whenChanged: 20080314160857.0Z
>subRefs: DC=ForestDnsZones,DC=ADCORP,DC=DEMO
>subRefs: DC=DomainDnsZones,DC=ADCORP,DC=DEMO
>subRefs: CN=Configuration,DC=ADCORP,DC=DEMO
>uSNCreated: 4098
>uSNChanged: 22313
>name: ADCORP
>objectGUID: {FE063A98-E95A-4CB2-A7EA-984F62EF360C}
>creationTime: 128498936571250000
>forceLogoff: -9223372036854775808
>lockoutDuration: -18000000000
><<<##################################################
>lockOutObservationWindow: -18000000000
><<<##################################################
>lockoutThreshold: 5 <<<##################################################
>maxPwdAge: -155520000000000
><<<##################################################
>minPwdAge: 0 <<<##################################################
>minPwdLength: 3 <<<##################################################
>modifiedCountAtLastProm: 0
>nextRid: 1001
>pwdProperties: 0 <<<##################################################
>pwdHistoryLength: 0 <<<##################################################
>objectSid: S-1-5-21-3687581062-375753355-2044987285
>oEMInformation: R1
>serverState: 1
>uASCompat: 1
>modifiedCount: 1
>auditingPolicy: 0001 nTMixedDomain: 0
>rIDManagerReference: CN=RID Manager$,CN=System,DC=ADCORP,DC=DEMO
>fSMORoleOwner: CN=NTDS
>Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
>systemFlags: -1946157056
>wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
>Quotas,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program
>Data,DC=ADCORP,DC=DEMO
>wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program
>Data,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=ADCORP,DC=DEMO
>wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
>Objects,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=ADCORP,DC=DEMO
>wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain
>Controllers,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=ADCORP,DC=DEMO
>wellKnownObjects:
>B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=ADCORP,DC=DEMO
>objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ADCORP,DC=DEMO
>isCriticalSystemObject: TRUE
>gPLink:
>[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0][LDAP://CN={2872CCC6-9F14-4992-890B-94C29FD55EA0},CN=Policies,CN=System,DC=ADCORP,DC=DEMO;0]
>dSCorePropagationData: 16010101000000.0Z
>masteredBy: CN=NTDS
>Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
>ms-DS-MachineAccountQuota: 10
>msDS-Behavior-Version: 2
>msDS-PerUserTrustQuota: 1
>msDS-AllUsersTrustQuota: 1000
>msDS-PerUserTrustTombstonesQuota: 10
>msDs-masteredBy: CN=NTDS
>Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
>msDS-IsDomainFor: CN=NTDS
>Settings,CN=RFSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=DEMO
>msDS-NcType: 0
>dc: ADCORP

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Flavio Borup" <fborup@hotmail.com> wrote in message
news:2283CD29-99C1-4C0A-BBE4-13B3F58E0A57@microsoft.com...
> 512, via AccountLocakout Tools DLL
>
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> escreveu na
> mensagem news:OH%23gpt6hIHA.1208@TK2MSFTNGP03.phx.gbl...
>> what is the userAccountControl value for those accounts?
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>> "MCTS" <MCTS@MCTS.net> wrote in message
>> news:EEDCD917-1BD0-457F-8434-F9F6BAB0D5D2@microsoft.com...
>>> Blank Passwords, Complex Requeirements and Problems...
>>>
>>> An auditor discovered several accouns with Blank Passwords in a
>>> MultiDomain AD structure arround the world
>>>
>>> As far as i know, the Win2003 AD never had a "free" Default Domain
>>> Policy to allow that, the DDP is the Default since the initial build of
>>> th AD. Ok, let's say that an Admin disabled temporarily th DDP for a few
>>> moments and allowed certain accouns to be created with blank passwords.
>>> Today, the DDP is configured to allow only complex passwords.
>>>
>>> 10 accounsts in the domain (among 1.200 other accounts) were found with
>>> blank passwords. When we reset thoses passwords, the ADUC allows.. BLANK
>>> passwords!!!!! Only in the 10 aaccounts created in 2007 (The AD was
>>> created on 2004). Any other user don't have that problem, only a
>>> sequencial list of accounts (created by script with the DSADD tool,
>>> exactly like any other account in the domain)
>>>
>>>
>>>
>>>
>>>
>>
>

Top