Using the Axonius Cybersecurity Asset Management Platform to Find Users with the Password Not Required flag set.

Overview

The Active Directory PASSWD_NOTREQD or “Password Not Required” flag allows you to have a fully functioning account with a blank password (even with a valid domain password policy in place)..

Security Considerations

Having a user account in AD with the password not required flag set can create a security risk, especially when this is a domain admin account login on a domain controller. Additionally, the user is not subject to any existing policy regarding the length of password and may have a shorter password than is required or may even have no password at all, even if empty passwords are not allowed. 

Further Reading

How to Find Users in Active Directory with Passwords Not Required

In the Axonius Cybersecurity Asset Management Platform, the following query will return all users with passwords set to not required:

adapters_data.active_directory_adapter.ad_uac_account_disable == false and adapters_data.active_directory_adapter.ad_uac_password_not_required == true

Here it is in action: