We help IT Professionals succeed at work.

Blank Password?

I have a windows 2012 domain with password requirments (Complexity, min password length etc.). However, some of my windows 10 users can change their paasswrd and simply hit "return" making a blank password...if they type one character they get a message that it's too short,m but it allows a return (blank)....is this a bug?
Comment
Watch Question

Distinguished Expert 2019

Commented:
Local or domain, check whether you have a GPO that applies to these system exempting them from the password.

Use group policy management console (GPMC) and run a results wizard against a wotkstation, user and then check the results on password ....
Distinguished Expert 2019

Commented:

The password requirements for domain accounts are evaluated at the DCs only, so check them at the DCs.


gpresult /h %temp%\result.html /f &  %temp%\result.html


That command lists all policies that apply and you may see which settings are applied by what policy.

If that does not bring up results, please check for password settings objects (PSO) as well:

Get-ADUserResultantPasswordPolicy -Identity usernameToCheck

jsgrosskopfIS Manager

Author

Commented:
OK, I'll check these later today and reply. Thanks
jsgrosskopfIS Manager

Author

Commented:
I did a gpresult and the policy is there not it says enforced: no....could that be it?
Distinguished Expert 2019

Commented:
Double check the user for which a blank password is allowed, make sure it is not administrator which is interpreted as local versus domain based.
Distinguished Expert 2019

Commented:

"the policy is there not it says enforced: no" - could you rephrase that? I don't understand a word.

jsgrosskopfIS Manager

Author

Commented:
If you go into group policy management, and you right click on a linked policy, there is a check option for enforced...this was not checked
Distinguished Expert 2019

Commented:

Are you using the default domain policy for password settings? It does not need to be enforced. Could you share the result.html as screenshot?

jsgrosskopfIS Manager

Author

Commented:
Attached
Result-SS.jpg
Distinguished Expert 2019

Commented:

I am wondering what policy is used to apply your password settings. So your screenshot is not really useful, Please expand the password policy section so I can see what settings are applied by what policy.

jsgrosskopfIS Manager

Author

Commented:
I attached two. Once showing the password policy applied in GP result and the other are the settings in the actual policy
Password-GP-settings.jpg
Password-polcy.jpg
Distinguished Expert 2019

Commented:

You don't understand what I want.


I'd like you to log on to to the DC, use gpresult /h result.html and open results.html and show me, that this password settings are applied. It would look like this:

jsgrosskopfIS Manager

Author

Commented:
Here you go...no password policy here
dcresult.jpg
Distinguished Expert 2019

Commented:

Look, if you don't expand the "security settings" section, we cannot verify that!

Distinguished Expert 2019

Commented:
McKnife's I age which I initially took as yours illustrates a password policy allows blank passwords, "Minimum Password Length 0" equals blank password as an option
jsgrosskopfIS Manager

Author

Commented:
Sorry, doing 5 things at once...it shows the default domain policy. I thought if I had a policy at the OU level that would override the default domain policy
dcresult2.jpg
Distinguished Expert 2019

Commented:
Your password policy absolutely allows blank password, while the example in McKnife's image arguably does not because of the requirement to meet complexity test.  After further though since my earlier comment, a blank password would never meet complexity required in McKnife's example.

Now you have to determine the winning policy that sets your policy, within gpmc report, the next tab list policies that set the parameter at issue here.
Distinguished Expert 2019

Commented:

My god, who set that password policy? :-)

Ok, change the default domain policy, then do a gpupdate on all DCs and you will be fine.

jsgrosskopfIS Manager

Author

Commented:
OK, thanks all for your help. I created a policy for passwords (shown in my 1st GPresult) and applied to the OU  and thought the OU policy would take precedence over the default domain. And when I ran GPresult on the problem workstation it shows that policy being applied. The domain controller is NOT in this OU and thus gets the default domain policy. Am I understanding this incorrectly? And you can answer the question without the snarky comments McKnife, Don't worry I'll understand.
Distinguished Expert 2019

Commented:

"snarky comments" - oh, that was snarky? Sorry, I wonder who configured that. That's not snarky. Maybe he or she had a reason for those settings, but for the life of me, I couldn't understand. Please allow me the freedom to add my opinion.

Distinguished Expert 2019

Commented:

Honestly, do you know what it means to allow "reversible encryption" on passwords? That is a VERY bad idea unless someone has a pretty good reason for it. So my comment was rather made "snarky" to make you aware of that, in case it wasn't you.

jsgrosskopfIS Manager

Author

Commented:
OK, misunderstanding then but what about the policy inheritance....can you think of a reason the default domain is taking precedence over the OU policy?
Distinguished Expert 2019
Commented:

Password policies must be configured within a policy that is in effect on the DCs.

Microsoft recommends to use the default domain policy for it, they even say, it's the only policy that you can use for it.

jsgrosskopfIS Manager

Author

Commented:
OK, did not know that. Thank YOU! I'll mark this closed.
Distinguished Expert 2019

Commented:

And please undo the "use reversible encryption" GPO as well, or at least question why it's there.