Find Users Who Are Allowed To Have No Password Using PowerShell

 2 years ago
source link: https://thomasrayner.ca/find-users-who-are-allowed-to-have-no-password-using-powershell/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Find Users Who Are Allowed To Have No Password Using PowerShell

You can use the UserAccountControl property of an Active Directory user object to enable and disable all kinds of neat functionality: https://support.microsoft.com/en-ca/kb/305144. One of the things you can enable is for a user to have no password (bit in the 32 position).

While this only impacts users who connect to the console, and it doesn’t mean that a user doesn’t have a password (just that they might), it’s pretty bad to leave that enabled for any users you’ve got.

Here’s an easy one-liner to get a list of users with this problem.

get-aduser -filter "useraccountcontrol -band 32" -properties useraccountcontrol

This shows you all the users in your domain whose password not required flag is set.

Here’s an easy way to fix it indiscriminately! Pipe the last command into…

 | foreach-object { Set-ADAccountControl $_.samaccountname -PasswordNotRequired $false }
Written on March 22, 2017

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK