Domain Accounts that require no password [PASSWD_NOTREQD] [PswdRequired]

The company they are working for us
SAS70 audit
, which rebis our servers we manage to meet certain safety standards [Security Baseline]. between these directives have to mitigate all the vulnerabilities or potential deviations from these standards, if not met devido to any client request or under some of its applications generate a business case [Business Case] \u200b\u200bwhere the customer signs and accept the risk incurred by not complying with established policies. The difference between a SAS70
and certification is that certification if not just get your mind does not give you recognition, but in the SAS70
hand you a document stating that if you meet and where not, so if you do not pass "the test" sales badly in the "Photo" A policy that is being audited which states that users must have a password, and this is analyzed by means of the user's property "Password required", perhaps like me seeking to pass this property within the user properties in Active Directory with ADSI Edit
without getting hit. The solution is on the property is owned UserAcountControl beind coded value that has defined one or more properties of the account. The following table lists the markers that can be assigned, it is not possible to establish some of these values \u200b\u200bin a user or computer object because these values \u200b\u200bcan only set or reset the directory service. The markers are cumulative, to disable a user account, set the UserAccountControl attribute with the value 0x0202 (0x002 + 0x0200). In decimal, corresponding to 514 (2 + 512). These modifications could be done with the ADSI Edit , Ldp.exe
, or a script. Indicator property
value in hexadecimal format in decimal value
SCRIPT 0x0001
| | 1 | | ACCOUNTDISABLE |
| 0x0002 | 2 | | HOMEDIR_REQUIRED |
| 0x0008 | 8 | | LOCKOUT 0x0010 |
| | 16 | | PASSWD_NOTREQD |
0x0020 | | 32 | | PASSWD_CANT_CHANGE Note | can not assign this permission by directly modifying the attribute
UserAccountControl. For information about how to set the permission programmatically, see "Description property markers. | | | | 0x0040 64 |
ENCRYPTED_TEXT_PWD_ALLOWED | | 0x0080 128 | | TEMP_DUPLICATE_ACCOUNT |
| | 0x0100 256 | | NORMAL_ACCOUNT |
| | 0x0200 512 | | INTERDOMAIN_TRUST_ACCOUNT |
| | 0x0800 2048 | | WORKSTATION_TRUST_ACCOUNT |
| | 0x1000 4096 | | SERVER_TRUST_ACCOUNT |
| 0x2000 | 8192 | | DONT_EXPIRE_PASSWORD |
| 0x10000 | 65536 | | MNS_LOGON_ACCOUNT |
| 0x20000 | 131072 | | SMARTCARD_REQUIRED |
| 0x40000 | 262144 | | TRUSTED_FOR_DELEGATION |
| 0x80000 | 524288 | | NOT_DELEGATED |
| 0x100000 | 1048576 | | USE_DES_KEY_ONLY |
| 0x200000 2097152 | | | DONT_REQ_PREAUTH |
| | 0x400000 4194304 | | PASSWORD_EXPIRED |
| 0x800000 8388608 | | | TRUSTED_TO_AUTH_FOR_DELEGATION |
| | 0x1000000 16777216 | | |
| | | | In this case the property that interests us is the PASSWD_NOTREQD where the value is 32, taking into consideration that if the value of a normal count is 512, if you add PASSWD_NOTREQD value 32 will return results is like 544, if we look with ADSI Edit the value is 544 UserAccountControl in effect, and changed it to 512 to identify us as a normal account that requires a password. |
More intormación at: http://msdn2.microsoft.com/en-us/library/aa746398.aspx
http://msdn2.microsoft.com/en- http://support.microsoft.com/kb/305144
us/library/ms677840.aspx