Monday 16 May 2011

userAccountControl and the "no password required" value (bypassing password policy)

To find out if there are AD accounts on your system that may be allowed to have blank passwords in spite of having a restrictive password policy in place, list all users with userAccountControl value(s) using something like Softerra LDAP Browser or Somarsoft DumpSec. First connect to a DC, select attributes, and then create a report.

Softerra - Directory Search


An example of a filter:

(&(objectClass=User)(!(objectClass=computer))(!(msExchResourceSearchProperties=Equipment))(!(msExchResourceSearchProperties=Room)))

Softerra - Select attributes


DumpSec - Select attributes


An example of uAC values and their descriptions (find more in the MS article below):


If you have a password policy in place and you try to set a blank password for a normal (512) account using ADUC and admin credentials, you will get a pop-up error saying “The password does not meet password policy requirements.” If you try this with an account which has the uAC set to “password not required”, the Active Directory will accept a blank password.

If an account is configured with the uAC set to “no password required”, the user still won’t be able to change her password to a blank one using the Windows 7 change password feature.

If you have an account with a blank password and the uAC set to “password not required”, and you try to change the uAC value to “password required”, you will get an error saying “Unable to update the password. The value provided for the new password does not meet the length…”. This is a useful piece of info because it lets you know that there was an account with a blank password. Once you set a password that meets the password policy requirements, you can change the uAC value to “password required”.

The uAC value can be changed through ADSIEdit, in case there are not many of these accounts, or it can be scripted. If you decide to write a script, remember that System accounts such as “Internet Guest Account“ are supposed to have the uAC set to “no password required” so make sure you don't modify the system accounts.

How to use the UserAccountControl flags to manipulate user account properties
Softerra LDAP Browser
SomarSoft DumpSec

No comments:

Post a Comment