Find AD users with empty password using PowerShell

If the PASSWD_NOTREQD flag is set in the userAccountControl attribute, the corresponding user account can have an empty password, even if the domain password policy disallows empty passwords. This presents a security risk. The PowerShell script I want to show you today can find users accounts in your Active Directory domain where the PASSWD_NOTREQD flag is set.

Viewing the PASSWD_NOTREQD flag in ADUC ^

You can view the userAccountControl attribute in Active Directory and Users (ADUC). Make sure you that you have enabled Advanced Features in ADUC in the View menu.

Enabling Advanced Features in ADUC

Enabling Advanced Features in ADUC

You can then view the value of the userAccountControl attribute in the Attribute Editor tab of the of the user account’s properties.

userAccountAttribute in ADUC

userAccountAttribute in ADUC

The userAccountControl values for user account with expiring passwords is 0x200 (512 decimal).

userAccountControl with NORMAL_ACCOUNT flag and expiring password

userAccountControl with NORMAL_ACCOUNT flag and expiring password

Accounts with non-expiring passwords have the value 0x10200 (66048 decimal).

userAccountControl with NORMAL_ACCOUNT flag and non-expiring password

userAccountControl with NORMAL_ACCOUNT flag and non-expiring password

User accounts with the PASSWD_NOTREQD flag have the extra bitmask of 0x20 set and are showing  as 0x220 (544 decimal) for accounts with expiring passwords.

userAccountControl attribute with PASSWD_NOTREQD flag and expiring password

userAccountControl attribute with PASSWD_NOTREQD flag and expiring password

User accounts with non-expiring passwords have the value 0x10220 (66080 decimal).

userAccountControl attribute with PASSWD_NOTREQD flag and non-expiring password

userAccountControl attribute with PASSWD_NOTREQD flag and non-expiring password

As you can see in the above screenshots, the last two values correspond to the PASSWD_NOTREQD flag. The flag could have been set by manipulating the userAccountControl attribute through Attribute Editor or programmatically, for instance via PowerShell.

If the user accounts are disabled with a non-expiring password, the userAccountControl attribute is set to 0x10222 (66082 decimal).

userAccountControl attribute with ACCOUNTDISABLE and PASSWD_NOTREQD flags, expiring password

userAccountControl attribute with ACCOUNTDISABLE and PASSWD_NOTREQD flags, expiring password

Disabled user accounts with an expiring password are set to 0x222 (546 decimal).

userAccountControl attribute with ACCOUNTDISABLE and PASSWD_NOTREQD flags, non-expiring password

userAccountControl attribute with ACCOUNTDISABLE and PASSWD_NOTREQD flags, non-expiring password

Using PowerShell to find users with PASSWD_NOTREQD flag ^

First, we create a report folder named c:\admin.

After that, we get the distinguished name of the domain and save it in the variable called $domainDN.

Now we can use Get-ADUser with an LDAP filter to search for the affected user accounts. We use the domain DN as SearchBase and save it to a text file.

Instead of saving everything to a text file, we can view the output with Out-GridView:

This is the complete PowerShell script:

In this post, I only covered accounts that are not using smartcards. The table below gives an overview of the possible userAccounControl values of user accounts that use smartcards.

If the script found a user account where the PASSWD_NOTREQD flag is set, you can edit the user object in ADUC. For instance, you can change the userAccountControl attribute value from 544 to 512 (NORMAL_ACCOUNT with expiring password).

userAccountControl attribute before the change

userAccountControl attribute before the change

userAccountControl attribute after the change

userAccountControl attribute after the change

If you found many user accounts with the PASSWD_NOTREQD flag, you can automate the task with PowerShell.

If you want to log the corresponding user names, you can save them to a text file.

Log file with user accounts

Log file with user accounts

0

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

2 Comments
  1. Bharattej 4 years ago

    In the loop foreach($user in $UsersNoPwdRequired )

    {

    Set-ADAccountControl $user -PasswordNotRequired $false

    Add-Content $logfile "$User"

    }

     

    Kindly tell the command to fetch user for $user

    0

  2. Andy B 4 years ago

    I'm a little confused.  If I am reading it right, this script gives you the users who have PasswordNotRequired set not, as the title suggests, users with a blank password.  I don't believe it is even possible to verify directly if the user has a blank password (although I have seen this done rather backhandedly:

    https://blogs.technet.microsoft.com/heyscriptingguy/2005/10/06/how-can-i-verify-that-none-of-my-local-user-accounts-have-a-blank-password/

    😉

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account