Using the Axonius Cybersecurity Asset Management Platform to Find Users with the Password Not Required flag set.
The Active Directory PASSWD_NOTREQD or “Password Not Required” flag allows you to have a fully functioning account with a blank password (even with a valid domain password policy in place)..
Having a user account in AD with the password not required flag set can create a security risk, especially when this is a domain admin account login on a domain controller. Additionally, the user is not subject to any existing policy regarding the length of password and may have a shorter password than is required or may even have no password at all, even if empty passwords are not allowed.
- Active Directory Password not Required – Includes PowerShell scripts to return lists of users with the AD Password Not Required flag set.
- Understanding and Remediating “PASSWD_NOTREQD” – Microsoft TechNet article to identify and remove the PASSWD_NOTREQD flag
How to Find Users in Active Directory with Passwords Not Required
In the Axonius Cybersecurity Asset Management Platform, the following query will return all users with passwords set to not required:
adapters_data.active_directory_adapter.ad_uac_account_disable == false and adapters_data.active_directory_adapter.ad_uac_password_not_required == true
Here it is in action: