Announcement

Collapse
No announcement yet.

Query users with blank passwords

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Query users with blank passwords

    Is there anyway to find all the users on my domain that have no passwords set?

  • #2
    Re: Query users with blank passwords

    I guess there is, but why don't you set the Default Domain Policy to not allow blank passwords?!


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Query users with blank passwords

      There is no way to do it - passwords can not be read from AD or checked for blanks once they are set. You can enforce password complexity/length policies only when the passwords are reset or changed.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Query users with blank passwords

        ...but if the default domain policy is set to "Change every 30 days" "Minimum password length 8 characters" and "Password complexity required", and all user accounts have their "Password never expires" flag un-set via a script, their password will expire at the end of the 30 days and it will require them to choose a strong, 8 character password.

        I can't conceive of a domain environment (which I presume is connected to the internet?) which allows blank passwords; it's like hanging the keys to the Vault outside the front door of the organisation and leaving a note saying "Here's the keys to our vault - please come in and take what you want"!!!


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Query users with blank passwords

          AFAIK if a user account never had a password, the pwdLastSet attribute is NULL (not set).
          By changing the pwdLastSet to 0, and the UserAccountControl attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user is forced to change password at next logon. (vbs: http://www.computerperformance.co.uk...pwdlastset.htm)

          To make sure users cannot change the password to No password:
          Set password policy to the Domain (default domaincontroller policy or, the default domain policy) atleast: "Minimum password length" >0 AND "Maximum Password age" >0
          Also, from the moment you set the password policy - no new accounts can be created w/out setting a password the same time.


          \Rems
          Last edited by Rems; 18th October 2007, 14:26. Reason: refrase 'has no' to 'never had'

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: Query users with blank passwords

            Originally posted by Stonelaughter View Post
            I guess there is, but why don't you set the Default Domain Policy to not allow blank passwords?!
            I did, but currently i think there are still users out there with blank passwords. Everyones passwords were set to never expire. I'm working on sliding in some better password policies.

            Originally posted by Stonelaughter View Post
            ...but if the default domain policy is set to "Change every 30 days" "Minimum password length 8 characters" and "Password complexity required", and all user accounts have their "Password never expires" flag un-set via a script, their password will expire at the end of the 30 days and it will require them to choose a strong, 8 character password.

            I can't conceive of a domain environment (which I presume is connected to the internet?) which allows blank passwords; it's like hanging the keys to the Vault outside the front door of the organisation and leaving a note saying "Here's the keys to our vault - please come in and take what you want"!!!
            the person who originally setup this domain turned off ALL that stuff, passwords never expire, no passwords remembered, no password complexity, minimum length disabled, etc ,etc.

            Its crazy, i know. I am slowly sliding in better password security Its hard for people who have never had to change a password or remember a complex one.

            Comment


            • #7
              Re: Query users with blank passwords

              The key is unsetting that password never expires flag with a script; why don't you post in the scripting forum and ask for help with that?


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment

              Working...
              X