AD Computer objects created with password not required flag

Martin Paidar 21 Reputation points


thanks to implementing Cloud App Security I found out that there is a large number of AD objects which have "PasswordNotRequired" for user its manually set. But for computers it seems to be done when its manually created in AD. I searched but cant find anything which would set this (like GPO etc). So I would like to know how prevent this behavior to be default.

(FYI Domain level is 2016)



Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,211 questions
{count} vote

3 answers

Sort by: Most helpful
  1. Martin Paidar 21 Reputation points

    Thank you for the answer. Solution I have developed and tested is quite straight forward:

    For AD users

    Get-ADUser -Filter {PasswordNotRequired -eq $true} (this will give you the list of user accounts so you can check them and even export list if needed)

    Get-ADUser-Filter {PasswordNotRequired -eq $true} | Set-ADUser -PasswordNotRequired $false (this uses the found users and disable the flag on account)

    For AD Computers

    Get-ADCompuer-Filter {PasswordNotRequired -eq $true} (this will give you the list of computer accounts so you can check them and even export list if needed)

    Get-ADCompuer-Filter {PasswordNotRequired -eq $true} | Set-ADCompuer-PasswordNotRequired $false (this uses the found users and disable the flag on account)

    This is tested and works for me quite well.

    But I am still looking for answer why this is standard behavior for computer objects and how to prevent it from happening.

    Also if it can be abused similar way as user accounts.

    3 people found this answer helpful.

  2. Fan Fan 15,321 Reputation points Microsoft Vendor

    If you add the clients with the attribute the “PASSWD_NOTREQD” flag set, AD Computer objects will not be effected by the password policy.
    Not sure there is a way to prevent this, but we can try to identify and then attempt to remove the PASSWD_NOTREQD flag on all affected accounts.
    Here is a script which can be used to do this. Just for your reference:

    Best Regards,

    1 person found this answer helpful.
    0 comments No comments

  3. GL 6 Reputation points

    Like OP, I don't have any GP objects that are setting this. In my environment, I feel like this was caused by Windows 2012 Server Essentials. We've since gotten rid of this domain controller and the only users that have this flag set were created using the 'Essentials' wizard. I don't have any way of testing this now because that DC is gone. Users that do NOT have this flag were created before in 2003 SBS and after in 2022 Server Standard. HTH

    0 comments No comments