One often-overlooked security risk in Active Directory is the ability to create user accounts without a password (with a blank password). In this article, we’ll explore whether it’s possible to create domain user accounts without a password, how to find such accounts, and to disable them.
If the PASSWD_NOTREQD attribute is enabled for a user account, that account may be able to set a blank password despite the domain’s password policy requiring a minimum password length. The PASSWD_NOTREQD attribute is not a separate attribute of the user class in Active Directory (AD). It is stored in the value of the composite attribute userAccountControl (is a bitmask where each bit is a flag representing a specific user account property like disabled, locked, password never expires, etc.).
First, let’s look at how to set an empty password for an AD user account. Use the Set-ADUser PowerShell cmdlet to enable the PasswordNotRequired attribute for a user.
Get-ADUser novach | Set-ADUser -PasswordNotRequired $true
Now let’s check that a password is no longer required for the account.
Get-ADUser novach -Properties *| select name,PasswordNotRequired
The Active Directory Users and Computers graphical snap-in (dsa.msc) can also be used to disable the password requirement for a user. Open the user properties in ADUC. Go to the Attribute Editor tab and edit the value of the UserAccountControl attribute. Enable the PASSWD_NOT_REQD option by adding 32 (in decimal) to the current value of the attribute.
Once the PASSWD_NOT_REQD attribute is enabled for a user, he will not be able to set an empty password for himself (using the standard user password change procedure). However, a Domain Admin, a member of the Account Operators group, or a user with delegated AD administrative permissions to change passwords for other accounts can reset a user’s password to blank.
Open the ADUC snap-in, right-click on the user, then select Reset Password. Do not enter a new password and leave the password fields blank.
In this case, the AD password policy will not prevent the creation of a blank password. The user will now be able to sign in to a Windows domain-joined computer using a blank password by selecting their account on the logon screen and pressing Enter
Domain security can be compromised by users with blank passwords because they are easy to detect.
To prevent the creation of users without passwords, administrators must monitor the domain for users who have the PASSWD_NOTREQD attribute enabled. Use the following PowerShell one-liner to list all such users:
Get-ADUser -Filter {PasswordNotRequired -eq $true} -properties LastLogonTimestamp, PasswordNotRequired | ft SamAccountName,enabled, PasswordNotRequired , @{n=’LastLogonTimestamp’;e={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}
Reset the passwords and disable the Password Not Required option for the found users.
Set-ADAccountPassword novach -Reset
Get-ADUser -Identity novach | Set-ADUser -PasswordNotRequired $false -ChangePasswordAtLogon $true