question

KervinPaulRVinluan-0523 avatar image
0 Votes"
KervinPaulRVinluan-0523 asked AndrewPearce-8247 commented

Password-Not-Required attribute is true. Does this mean that the user can log on withour password?

Hi,

I've noted that there are user accounts in Active Directory with Password-Not-Required (https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol) value equals to "true". Does this mean that the user can log on without a password? Does this override Group Policy for account logons?

Thank you,

Kervin

azure-ad-domain-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KervinPaulRVinluan-0523
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered AndrewPearce-8247 commented

Hi @KervinPaulRVinluan-0523 ,


Yes, this can override group policy and make it so that your accounts do not have passwords required. This can cause a security gap, but you can easily fix it by querying for the accounts that have "Password-Not-Required" = true and switching the setting to false.


First, you can get the list of all user accounts that do not require a password:


 Get-ADUser -Filter {PasswordNotRequired -eq $true}

Then you can correct the accounts using:


 Get-ADUser -Identity User2 | Set-ADUser -PasswordNotRequired $false


https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-aduser?view=win10-ps


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MarileeTurscak,

Can you share a documentation or examples of how this can cause a security gap?. How this scenario can override Group Policy for account logons?

Thanks in advance.


https://docs.microsoft.com/en-us/archive/blogs/russellt/passwd_notreqd

0 Votes 0 ·

Is there a way to change the native behaviour of pre-staged computer accounts to prevent computer accounts from having the option to have blank passwords?

0 Votes 0 ·