Q: Is it true that Active Directory (AD) includes an option to disable the user requirement to have a password defined for an AD account (i.e., an option that allows for a passwordless logon)? Is there any way to control this important AD security-related configuration option?
A: Yes, AD includes such an option—it's referred to as the password not required AD user account object property. Unlike other password-related AD account options, the password not required option can't be set from the properties of an AD user account object in the Microsoft Management Console (MMC) AD Users and Computers snap-in. You can set it only programmatically or from the command line using the following NET USER command:
net user joe /passwordreq:no
I strongly advise against enabling the password not required property because it disables Windows first line of defense—user authentication. As with the Password never expires user account option, disabling the requirement for a password on a user account undermines your domain or corporate-wide password policy and can create serious security holes in your company's AD forest.
Windows Server 2003 and later includes a new permission, Update-Password-Not-Required-Bit, that controls who can access the password not required AD user account object property. Using this new permission, you can also control which AD administrators can change the requirement to have a password for a given AD user account object. Update-Password-Not-Required-Bit can be configured from the ACL editor of an AD domain, organizational unit (OU), or user object. To access an AD object’s ACL editor, open its Properties and select the Security tab. Figure 1 shows how the Update-Password-Not-Required-Bit permission is given to members of the Authenticated Users group of a Windows 2003 AD domain by default.
Register
