Avatar of Joe Grosskopf
Joe Grosskopf
 asked on

Blank Password?

I have a windows 2012 domain with password requirments (Complexity, min password length etc.). However, some of my windows 10 users can change their paasswrd and simply hit "return" making a blank password...if they type one character they get a message that it's too short,m but it allows a return (blank)....is this a bug?
Windows 10Windows OSWindows Server 2012

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
arnold

Local or domain, check whether you have a GPO that applies to these system exempting them from the password.

Use group policy management console (GPMC) and run a results wizard against a wotkstation, user and then check the results on password ....
McKnife

The password requirements for domain accounts are evaluated at the DCs only, so check them at the DCs.


gpresult /h %temp%\result.html /f &  %temp%\result.html


That command lists all policies that apply and you may see which settings are applied by what policy.

If that does not bring up results, please check for password settings objects (PSO) as well:

Get-ADUserResultantPasswordPolicy -Identity usernameToCheck

Joe Grosskopf

ASKER
OK, I'll check these later today and reply. Thanks
Your help has saved me hundreds of hours of internet surfing.
fblack61
Joe Grosskopf

ASKER
I did a gpresult and the policy is there not it says enforced: no....could that be it?
arnold

Double check the user for which a blank password is allowed, make sure it is not administrator which is interpreted as local versus domain based.
McKnife

"the policy is there not it says enforced: no" - could you rephrase that? I don't understand a word.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Joe Grosskopf

ASKER
If you go into group policy management, and you right click on a linked policy, there is a check option for enforced...this was not checked
McKnife

Are you using the default domain policy for password settings? It does not need to be enforced. Could you share the result.html as screenshot?

Joe Grosskopf

ASKER
Attached
Result-SS.jpg
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
McKnife

I am wondering what policy is used to apply your password settings. So your screenshot is not really useful, Please expand the password policy section so I can see what settings are applied by what policy.

Joe Grosskopf

ASKER
I attached two. Once showing the password policy applied in GP result and the other are the settings in the actual policy
Password-GP-settings.jpg
Password-polcy.jpg
McKnife

You don't understand what I want.


I'd like you to log on to to the DC, use gpresult /h result.html and open results.html and show me, that this password settings are applied. It would look like this:

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Joe Grosskopf

ASKER
Here you go...no password policy here
dcresult.jpg
McKnife

Look, if you don't expand the "security settings" section, we cannot verify that!

arnold

McKnife's I age which I initially took as yours illustrates a password policy allows blank passwords, "Minimum Password Length 0" equals blank password as an option
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Joe Grosskopf

ASKER
Sorry, doing 5 things at once...it shows the default domain policy. I thought if I had a policy at the OU level that would override the default domain policy
dcresult2.jpg
arnold

Your password policy absolutely allows blank password, while the example in McKnife's image arguably does not because of the requirement to meet complexity test.  After further though since my earlier comment, a blank password would never meet complexity required in McKnife's example.

Now you have to determine the winning policy that sets your policy, within gpmc report, the next tab list policies that set the parameter at issue here.
McKnife

My god, who set that password policy? :-)

Ok, change the default domain policy, then do a gpupdate on all DCs and you will be fine.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Joe Grosskopf

ASKER
OK, thanks all for your help. I created a policy for passwords (shown in my 1st GPresult) and applied to the OU  and thought the OU policy would take precedence over the default domain. And when I ran GPresult on the problem workstation it shows that policy being applied. The domain controller is NOT in this OU and thus gets the default domain policy. Am I understanding this incorrectly? And you can answer the question without the snarky comments McKnife, Don't worry I'll understand.
McKnife

"snarky comments" - oh, that was snarky? Sorry, I wonder who configured that. That's not snarky. Maybe he or she had a reason for those settings, but for the life of me, I couldn't understand. Please allow me the freedom to add my opinion.

McKnife

Honestly, do you know what it means to allow "reversible encryption" on passwords? That is a VERY bad idea unless someone has a pretty good reason for it. So my comment was rather made "snarky" to make you aware of that, in case it wasn't you.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Joe Grosskopf

ASKER
OK, misunderstanding then but what about the policy inheritance....can you think of a reason the default domain is taking precedence over the OU policy?
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Joe Grosskopf

ASKER
OK, did not know that. Thank YOU! I'll mark this closed.
McKnife

And please undo the "use reversible encryption" GPO as well, or at least question why it's there.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.