• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1256
  • Last Modified:

Reset user account to zero length password

Hi,

We had an audit done on our AD infrastructure and the report has come back and has found some users that state that a few users can reset their password to a zero length password. So I had a look on the report and the users are not in the same OU. The domain policy is applying to all OU’s and is set to a minimal of 8 characters.  But somehow these 26 users password can be reset to a blank password. I have double checked the security on two different account and all checks out. Other account in the same OU’s cannot be changed to a blank password. as the domain policy states it has to be 8 and more I am out of answers and the auditors now would like some answers of which I have run out of.

Please advise
0
ablsysadmin
Asked:
ablsysadmin
  • 3
  • 3
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
It's possible the users in question don't have read permissions on teh GPO that sets the password requirement.  That's worth looking into.

It's also possible the auditors tool is wrong.  Have you tried having one of the users in question actually set their password to nothing?
0
 
ablsysadminAuthor Commented:
i will have a quick look into the read permissions but all authenticated users have read set?
i set the password on the dc to zero or blank. so the audit tool is picking it up correctly
0
 
Paul MacDonaldDirector, Information SystemsCommented:
As an administrator, you're immune (by default) to most GPOs.  So the question isn't "can an administrator assign a zero-length password?" - an administrator can do anything he or she wants.  The question is "can a user create a zero-length password for themselves?"
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ablsysadminAuthor Commented:
The GPO covers the users accounts. i have tested a few and i can not reset the password them to less then 8 as spec in the GPO. but these accounts i can
0
 
Paul MacDonaldDirector, Information SystemsCommented:
You might be able to garner some insight by going to a machine where one of these users is logged in and running an RSOP to determine how group policies are being applied.  

Again, it's possible for a user (or group of users or an OU) to be denied read permission to a policy, thereby excluding that policy from applying to them.
0
 
ablsysadminAuthor Commented:
a
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now