MBSA

I would much rather someone ran it on a domain controller to verify my suspicion, rather than looking at pictures of an MBSA report on Google images.

I am asking does MBSA only report on active/live accounts.

For example if you run it against a domain cotnroller, in the password expiration test, it is flagging up some user accounts have passwords that never expire - but they seem to be of accounts which are disabled.

Bad wording on the question, it should read:

Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having PASSWORDS that never expire?

I created an account with a non-expiring password and disabled it. It showed up in the MBSA scan as having a non expiring password.

You can right click on Saved Queries and create a new query. Few options in there to view various criteria.

Good Luck

I was more after, if you set up an account without a non expiring password (i.e. one that is subject to default domain policy around complexity, lockout, expirty etc), then disable it, does it still show up as having a non expiring password? Or does it not appear in the MBSA report for the domain controller?

Account mentioned above had the non expiring removed. Re ran the scan. Account is disabled but DID not appear in the scan.

MBSA scans and alerts for disabled users.
According to Microsoft, disabled user's might become security issues if enabled and therefore must be handled just like active users.

On a final note, the only account that showed as disabled was the Guest account. The Guest account has it's own section in the scan.

Thats weird.

I have accounts showing up in the MBSA report for domain controller that are disabled but before they were disabled were subject to domain policy which includes password expiry, now they are disabled they appear in the accounts that have passwords that dont expire finding.

Its almost as if any account you diable MBSA then treats it that because it is disabled it doesnt have password expiry setting as it is disabled?

An expired account/locked out isnt the same as disabled.

megaman can you explain the difference?

what would an account be for a user that has left employment, would that be a locked out acct?

>>Does the person who disables accounts set this flag when they disable accounts?

Is that common practice, why would they do that?

>>Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?

I am not sure I have dsa.msc, can this check be done in aduc?

Disabled accounts are administratively disabled.
Locked out accounts have had too many attempts on their password.
Expired accounts are when the password is too old.

When you set the 'password must be changed on next logon' flag, the system sets expiration to now.

When you select the 'Password never expires' flag, the system ignores the expiration date and MBSA will flag this.

what is an expired/locked out account, when does an account expire? Is that when you purposelly say this account is only active for 60 days? Or is it when a user doesnt change their password after x amount of warnings?

Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.

No, account expiration is simply X days since last password change (X is usually 60 or 90 depending on domain policy)

Your request was to run the MBSA and tell if accounts that are disabled with non expiring passwords are flagged. This was done.

>.Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.

Can you provide some reasons? Yes the flag is checked for a sample of the accounts I looked at...

If say a disabled user became undisabled, would it then be an account with no password expiry? So it is potentially a security issue? Or when you re-enable would the admin have to manually uncheck the password doesnt expire flag?

OxygenITSolutions: -  yes it was, but the issue has developed, I am very sorry if this offends you but while I have megamans attention he has brought an issue/reason to my attention that I wasnt aware of so I thought I'd query further...

If you were to enable that account, yes, its password would not expire.  I would never set that flag on an account, you can change the password at any time if you need the account.

>>Some companies will set this flag for various reasons

Could you give me a few?

... in the context of an ex employee account?

Either to keep the employees last password from expiring, or to set some standard terminated employee password?  I cant think of a good reason, both of these are amateur at best, and not best practice.  IMO, if you have a terminated employee, do not set the 'password never expires' flag...

>>or to set some standard terminated employee password

From a ad point of view, why would an admin do this? What benefits/ease of administration does it bring?

Simplicity?  If they ever needed to logon to that account, it would save them the step of resetting the password...

You need to review the points allocation here.