AD Computer objects created with password not required flag

Question

Hello,

thanks to implementing Cloud App Security I found out that there is a large number of AD objects which have "PasswordNotRequired" for user its manually set. But for computers it seems to be done when its manually created in AD. I searched but cant find anything which would set this (like GPO etc). So I would like to know how prevent this behavior to be default.

(FYI Domain level is 2016)

Thanks

Martin

Answer 1

Thank you for the answer. Solution I have developed and tested is quite straight forward:

For AD users

Get-ADUser -Filter {PasswordNotRequired -eq $true} (this will give you the list of user accounts so you can check them and even export list if needed)

Get-ADUser-Filter {PasswordNotRequired -eq $true} | Set-ADUser -PasswordNotRequired $false (this uses the found users and disable the flag on account)

For AD Computers

Get-ADCompuer-Filter {PasswordNotRequired -eq $true} (this will give you the list of computer accounts so you can check them and even export list if needed)

Get-ADCompuer-Filter {PasswordNotRequired -eq $true} | Set-ADCompuer-PasswordNotRequired $false (this uses the found users and disable the flag on account)

This is tested and works for me quite well.

But I am still looking for answer why this is standard behavior for computer objects and how to prevent it from happening.

Also if it can be abused similar way as user accounts.

Answer 2

Hi,
If you add the clients with the attribute the “PASSWD_NOTREQD” flag set, AD Computer objects will not be effected by the password policy.
Not sure there is a way to prevent this, but we can try to identify and then attempt to remove the PASSWD_NOTREQD flag on all affected accounts.
Here is a script which can be used to do this. Just for your reference:
https://learn.microsoft.com/en-us/archive/blogs/russellt/passwd_notreqd

Best Regards,