Link to home
Start Free TrialLog in
Avatar of Joe Grosskopf
Joe Grosskopf

asked on

Blank Password?

I have a windows 2012 domain with password requirments (Complexity, min password length etc.). However, some of my windows 10 users can change their paasswrd and simply hit "return" making a blank password...if they type one character they get a message that it's too short,m but it allows a return (blank) this a bug?
Avatar of arnold
Flag of United States of America image

Local or domain, check whether you have a GPO that applies to these system exempting them from the password.

Use group policy management console (GPMC) and run a results wizard against a wotkstation, user and then check the results on password ....

The password requirements for domain accounts are evaluated at the DCs only, so check them at the DCs.

gpresult /h %temp%\result.html /f &  %temp%\result.html

That command lists all policies that apply and you may see which settings are applied by what policy.

If that does not bring up results, please check for password settings objects (PSO) as well:

Get-ADUserResultantPasswordPolicy -Identity usernameToCheck

Avatar of Joe Grosskopf
Joe Grosskopf


OK, I'll check these later today and reply. Thanks
I did a gpresult and the policy is there not it says enforced: no....could that be it?
Double check the user for which a blank password is allowed, make sure it is not administrator which is interpreted as local versus domain based.

"the policy is there not it says enforced: no" - could you rephrase that? I don't understand a word.

If you go into group policy management, and you right click on a linked policy, there is a check option for enforced...this was not checked

Are you using the default domain policy for password settings? It does not need to be enforced. Could you share the result.html as screenshot?

I am wondering what policy is used to apply your password settings. So your screenshot is not really useful, Please expand the password policy section so I can see what settings are applied by what policy.

I attached two. Once showing the password policy applied in GP result and the other are the settings in the actual policy

You don't understand what I want.

I'd like you to log on to to the DC, use gpresult /h result.html and open results.html and show me, that this password settings are applied. It would look like this:

User generated image

Here you password policy here

Look, if you don't expand the "security settings" section, we cannot verify that!

McKnife's I age which I initially took as yours illustrates a password policy allows blank passwords, "Minimum Password Length 0" equals blank password as an option
Sorry, doing 5 things at shows the default domain policy. I thought if I had a policy at the OU level that would override the default domain policy
Your password policy absolutely allows blank password, while the example in McKnife's image arguably does not because of the requirement to meet complexity test.  After further though since my earlier comment, a blank password would never meet complexity required in McKnife's example.

Now you have to determine the winning policy that sets your policy, within gpmc report, the next tab list policies that set the parameter at issue here.

My god, who set that password policy? :-)

Ok, change the default domain policy, then do a gpupdate on all DCs and you will be fine.

OK, thanks all for your help. I created a policy for passwords (shown in my 1st GPresult) and applied to the OU  and thought the OU policy would take precedence over the default domain. And when I ran GPresult on the problem workstation it shows that policy being applied. The domain controller is NOT in this OU and thus gets the default domain policy. Am I understanding this incorrectly? And you can answer the question without the snarky comments McKnife, Don't worry I'll understand.

"snarky comments" - oh, that was snarky? Sorry, I wonder who configured that. That's not snarky. Maybe he or she had a reason for those settings, but for the life of me, I couldn't understand. Please allow me the freedom to add my opinion.

Honestly, do you know what it means to allow "reversible encryption" on passwords? That is a VERY bad idea unless someone has a pretty good reason for it. So my comment was rather made "snarky" to make you aware of that, in case it wasn't you.

OK, misunderstanding then but what about the policy inheritance....can you think of a reason the default domain is taking precedence over the OU policy?
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, did not know that. Thank YOU! I'll mark this closed.

And please undo the "use reversible encryption" GPO as well, or at least question why it's there.