Password policy & userAccountControl ?

**vshori** · 03-03-2006

There is a security audit in a company that states a large amount of users that are allowed to use weak/zero passwords. The domain policy setting says that weak/zero password isnt allowed. I have domain controllers with Windows 2003 SP1. After looking at the "weak/zero password user" it seems that it is not able to make a weak password by themself? But an admin can do it by resetting the password. Can anyone tell me which user attribute to look for to fix this problem? Thanks.

**The Recruiter** · 03-03-2006

You can try to remove the non-expiring flag for all users. You should also make sure that users change their password on a regular basis through the domain GPO and also check your password policy is proper and appropriate to the org. You need to also check your account lockout policy too.

**Gusgr8** · 11-03-2006

You can use the below script to find and toggle off the UF_PASSWD_NOTREQD bit:

'finds objects with both NORMAL_ACCOUNT and PASSWD_NOTREQD bits set
'FixUAC flips the PASSWD_NOTREQD bit effectively
'removing the PASSWD_NOTREQD setting.
Set objRootDSE = GetObject("LDAP://rootDSE")
strBase = "<LDAP://" & objRootDSE.Get("defaultNamingContext") & ">;"
'finds objects with both NORMAL_ACCOUNT and PASSWD_NOTREQD bits set
strFilter = "(useraccountcontrol:1.2.840.113556.1.4.803:=544);"
strAttrs = "distinguishedName;"
strScope = "subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objComm = CreateObject("ADODB.Command")
objComm.ActiveConnection = objConn
objComm.Properties("Page Size") = 100000
objComm.CommandText = strBase & strFilter & strAttrs & strScope
set objRS = CreateObject("ADODB.recordset")
objRS.Open objComm
objRS.MoveFirst

while Not objRS.EOF
wscript.echo objRS.Fields(0).Value
'uncomment the following line to fix accounts
'FixUAC objRS.Fields(0).Value
objRS.MoveNext
wend

'flips the PASSWD_NOTREQD bit
Sub FixUAC(strUserDN)
set objUser = GetObject("LDAP://" & [strUserDN])
bytUAC = objUser.Get("userAccountControl")
bytUAC = bytUAC Xor 32
objUser.Put "userAccountControl", bytUAC
End Sub

**JUSTICE** · 25-05-2006

We also had this similar problem showup on an audit and ours was because of a combination of accounts migrated from an nt doman in an AD as disabled users via the ADC as well as the admins auto generating accounts via script. But thanks to the above post, now I would run some test to solve this issue.