question

MartinPaidar-9691 avatar image
0 Votes"
MartinPaidar-9691 asked ·

AD Computer objects created with password not required flag

Hello,


thanks to implementing Cloud App Security I found out that there is a large number of AD objects which have "PasswordNotRequired" for user its manually set. But for computers it seems to be done when its manually created in AD. I searched but cant find anything which would set this (like GPO etc). So I would like to know how prevent this behavior to be default.

(FYI Domain level is 2016)


Thanks

Martin

windows-active-directory
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 

If there are any updates, welcome to share here!
Please feel free to let us know if you have any questions further.

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,
If you add the clients with the attribute the “PASSWD_NOTREQD” flag set, AD Computer objects will not be effected by the password policy.
Not sure there is a way to prevent this, but we can try to identify and then attempt to remove the PASSWD_NOTREQD flag on all affected accounts.
Here is a script which can be used to do this. Just for your reference:
https://docs.microsoft.com/en-us/archive/blogs/russellt/passwd_notreqd

Best Regards,

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MartinPaidar-9691 avatar image
0 Votes"
MartinPaidar-9691 answered ·

Thank you for the answer. Solution I have developed and tested is quite straight forward:

For AD users

Get-ADUser -Filter {PasswordNotRequired -eq $true} (this will give you the list of user accounts so you can check them and even export list if needed)

Get-ADUser-Filter {PasswordNotRequired -eq $true} | Set-ADUser -PasswordNotRequired $false (this uses the found users and disable the flag on account)



For AD Computers

Get-ADCompuer-Filter {PasswordNotRequired -eq $true} (this will give you the list of computer accounts so you can check them and even export list if needed)

Get-ADCompuer-Filter {PasswordNotRequired -eq $true} | Set-ADCompuer-PasswordNotRequired $false (this uses the found users and disable the flag on account)


This is tested and works for me quite well.

But I am still looking for answer why this is standard behavior for computer objects and how to prevent it from happening.

Also if it can be abused similar way as user accounts.


· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Would you please tell how did you add computers into the domain?

Best Regards,

0 Votes 0 ·

Hello,

There are multiple ways. Some of them are created manually by admins some of them are created automatically by intune/sccm deployment.

BR,

MP

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT MartinPaidar-9691 ·

It depends on the way you added them.
If the following way to add the computers to domain , clients will not have the “PASSWD_NOTREQD” flag set.

0 Votes 0 ·