Password-Not-Required attribute is true. Does this mean that the user can log on withour password?

Kervin Paul R. Vinluan 31 Reputation points
2020-07-05T07:12:02.843+00:00

Hi,

I've noted that there are user accounts in Active Directory with Password-Not-Required (https://learn.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol) value equals to "true". Does this mean that the user can log on without a password? Does this override Group Policy for account logons?

Thank you,

Kervin

Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,066 Reputation points Microsoft Employee
    2020-07-09T21:25:47.037+00:00

    Hi @KervinPaulRVinluan-0523 ,

    Yes, this can override group policy and make it so that your accounts do not have passwords required. This can cause a security gap, but you can easily fix it by querying for the accounts that have "Password-Not-Required" = true and switching the setting to false.

    First, you can get the list of all user accounts that do not require a password:

     Get-ADUser -Filter {PasswordNotRequired -eq $true}

    Then you can correct the accounts using:

     Get-ADUser -Identity User2 | Set-ADUser -PasswordNotRequired $false

    https://learn.microsoft.com/en-us/powershell/module/addsadministration/set-aduser?view=win10-ps

    6 people found this answer helpful.