[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

MBSA

Posted on 2011-02-21
29
Medium Priority
?
1,706 Views
Last Modified: 2012-05-11
Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having accounts that never expire?

Also, where in ADUC can you view all users in a domain and their accoutn status, i.e. active, expired, disabled etc?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 6
  • +1
29 Comments
 
LVL 7

Assisted Solution

by:OxygenITSolutions
OxygenITSolutions earned 100 total points
ID: 34941192
Do a google search for MBSA and go to images. Might find what you're looking for.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941205
I would much rather someone ran it on a domain controller to verify my suspicion, rather than looking at pictures of an MBSA report on Google images.
0
 
LVL 7

Assisted Solution

by:oriziv
oriziv earned 100 total points
ID: 34941229
I'm not sure what you're asking for.
MBSA doesn't alert when disabled user's password expires.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 34941265
I am asking does MBSA only report on active/live accounts.

For example if you run it against a domain cotnroller, in the password expiration test, it is flagging up some user accounts have passwords that never expire - but they seem to be of accounts which are disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941284
Bad wording on the question, it should read:

Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having PASSWORDS that never expire?
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941525
I created an account with a non-expiring password and disabled it. It showed up in the MBSA scan as having a non expiring password.

You can right click on Saved Queries and create a new query. Few options in there to view various criteria.

Good Luck
0
 
LVL 3

Author Comment

by:pma111
ID: 34941550
I was more after, if you set up an account without a non expiring password (i.e. one that is subject to default domain policy around complexity, lockout, expirty etc), then disable it, does it still show up as having a non expiring password? Or does it not appear in the MBSA report for the domain controller?

0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941574
Account mentioned above had the non expiring removed. Re ran the scan. Account is disabled but DID not appear in the scan.
0
 
LVL 7

Expert Comment

by:oriziv
ID: 34941580
MBSA scans and alerts for disabled users.
According to Microsoft, disabled user's might become security issues if enabled and therefore must be handled just like active users.
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941600
On a final note, the only account that showed as disabled was the Guest account. The Guest account has it's own section in the scan.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941612
Thats weird.

I have accounts showing up in the MBSA report for domain controller that are disabled but before they were disabled were subject to domain policy which includes password expiry, now they are disabled they appear in the accounts that have passwords that dont expire finding.

Its almost as if any account you diable MBSA then treats it that because it is disabled it doesnt have password expiry setting as it is disabled?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941651
An expired account/locked out isnt the same as disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941658
megaman can you explain the difference?

what would an account be for a user that has left employment, would that be a locked out acct?
0
 
LVL 5

Accepted Solution

by:
megaman5 earned 300 total points
ID: 34941676
Users who have left employment are usually disabled, by right clicking on the user object and disabling it.  If I read everything correctly, MBSA is flagging these accounts because 'they have passwords set to not expire?'  Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?  Does the person who disables accounts set this flag when they disable accounts?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941687
>>Does the person who disables accounts set this flag when they disable accounts?

Is that common practice, why would they do that?

>>Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?

I am not sure I have dsa.msc, can this check be done in aduc?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941688
Disabled accounts are administratively disabled.
Locked out accounts have had too many attempts on their password.
Expired accounts are when the password is too old.

When you set the 'password must be changed on next logon' flag, the system sets expiration to now.

When you select the 'Password never expires' flag, the system ignores the expiration date and MBSA will flag this.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941697
what is an expired/locked out account, when does an account expire? Is that when you purposelly say this account is only active for 60 days? Or is it when a user doesnt change their password after x amount of warnings?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941699
Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941706
No, account expiration is simply X days since last password change (X is usually 60 or 90 depending on domain policy)
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941721
Your request was to run the MBSA and tell if accounts that are disabled with non expiring passwords are flagged. This was done.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941731
>.Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.

Can you provide some reasons? Yes the flag is checked for a sample of the accounts I looked at...

If say a disabled user became undisabled, would it then be an account with no password expiry? So it is potentially a security issue? Or when you re-enable would the admin have to manually uncheck the password doesnt expire flag?

0
 
LVL 3

Author Comment

by:pma111
ID: 34941740
OxygenITSolutions: -  yes it was, but the issue has developed, I am very sorry if this offends you but while I have megamans attention he has brought an issue/reason to my attention that I wasnt aware of so I thought I'd query further...
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941754
If you were to enable that account, yes, its password would not expire.  I would never set that flag on an account, you can change the password at any time if you need the account.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941758
>>Some companies will set this flag for various reasons

Could you give me a few?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941762
... in the context of an ex employee account?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941775
Either to keep the employees last password from expiring, or to set some standard terminated employee password?  I cant think of a good reason, both of these are amateur at best, and not best practice.  IMO, if you have a terminated employee, do not set the 'password never expires' flag...
0
 
LVL 3

Author Comment

by:pma111
ID: 34941791
>>or to set some standard terminated employee password

From a ad point of view, why would an admin do this? What benefits/ease of administration does it bring?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941804
Simplicity?  If they ever needed to logon to that account, it would save them the step of resetting the password...
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941857
You need to review the points allocation here.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question