Find Users Who Are Allowed To Have No Password Using PowerShell

You can use the UserAccountControl property of an Active Directory user object to enable and disable all kinds of neat functionality: https://support.microsoft.com/en-ca/kb/305144. One of the things you can enable is for a user to have no password (bit in the 32 position).

While this only impacts users who connect to the console, and it doesn’t mean that a user doesn’t have a password (just that they might), it’s pretty bad to leave that enabled for any users you’ve got.

Here’s an easy one-liner to get a list of users with this problem.

get-aduser -filter "useraccountcontrol -band 32" -properties useraccountcontrol

This shows you all the users in your domain whose password not required flag is set.

Here’s an easy way to fix it indiscriminately! Pipe the last command into…

 | foreach-object { Set-ADAccountControl $_.samaccountname -PasswordNotRequired $false }

 

Written on March 22, 2017