Matheesha left a comment on Change Password versus Set Password entry that is actually quite good and I hear on a regular basis… That question being “Hey, what’s up with PWD_NOT_REQD??”
The short and sweet… Don’t use it. It isn’t required and shouldn’t be used.
The slightly longer and slightly less sweet… PWD_NOT_REQD is a flag specified by a single bit on the userAccountControl attribute. When that bit is set it means that an account DOES NOT HAVE TO HAVE A PASSWORD. I gave that emphasis because not having a password is bad. The account CAN have a password, it is just allowed to have the password not set.
Usually, the most common occurrence of that flag is on computer accounts. This occurs because there is a bug in ADUC. This is a bug I reported to MSFT some time ago (say 2001 or so)Â but it really doesn’t seem to be too large of a concern for them. If you join a computer normally or use NETDOM you won’t see accounts set that way, but if you precreate accounts in ADUC you will see the flag set and it doesn’t need to be.
I would definitely not allow this on user accounts, period. User accounts should have passwords, again period. The reason is that most environments are not locked down against authenticated users so simply having any userid that can log on with a blank password is a way to see all sorts of information without really proving anything about themselves. At the very least you can read a considerable amount of info from AD and if you are in W2K pre-compatability mode there is a ton of open available info in AD you can get to.
If I walked into an environment and saw accounts set that way I would immediately start investigating them to see if they had blank passwords. If they don’t, clear the setting. If they do, work on getting a password set on an account.
  joe
When I look at our user accounts, most are set to this. I believe this is from the old NT 4 accounts that they were upgraded from. We do have a password policy. I am wondering how can I remove this flag from the user accounts?
Thanks,
Steve
Thanks for the explanation joe. Could you possibly elaborate on if and how it could be used by someone maliciously?
Thanks
M@
OK. I just re-read that. Basically its only an issue if the password is not set and the flag PWD-NOT-REQD is set. In that case, its a user account with a blank password. If a password is set, there is no issue. But as best practice the flag should not be used.
If we prestage computer accounts in a non Windows 2003 Functional level domain then will OldCmp not work because the pwdLastSet attribute is not populated.
Interesting blog as usual.
Thanks
Mike
Matheesa:
Correct, the issue is that there really are no excuses or cases where an account shouldn’t have a password. Having that bit set allows something that shouldn’t occur… The malicious use occurs if someone takes advantage of not having to have a password.
Mike:
Could you send me more detail about what you mean in an email?