W2K Blank Passwords?

TheMSsForum.com: The Microsoft Software Forum

Hello All

I'm new to W2K and I hope you can help me

I was wondering if there was a script (VB or batch file) that I can run on my Windows 2000 DC that will enumerate all accounts that have a blank password? I do not want to use L0phtcrack or anything similar as I do not want to know the password that any other account is using - only the accounts with a blank password. Is there an easy way to do this

Thanks in advance

Mike
Top

Re: W2K Blank Passwords? by Dave

Dave
Thu Apr 15 09:50:02 CDT 2004

The Baseline Security Analyzer will warn you of weak passwords - I'm not
100% sure it will differentiate a blank one from another form of weak
password, but you could give it a try. I'm not sure what you're trying to
accomplish, but I'd recommend setting minimum password requirements in your
Domain Security Policy. Even in a trusting office with no inbound Internet
access, a 5-character minimum password will help keep out a waiting visitor
or delivery man.

If you don't have minimum password requirements set now, and you do want to
implement them, make sure you do so at a time when you are available to deal
with the fact that everyone's password may have to be changed immediately -
even right in the middle of a session. I'd recommend asking everyone to
change to a policy-compliant password. Then implement the policy at night,
and be there when the users arrive in the morning in case anyone runs into
difficulty.


"Mike Newell" <anonymous@discussions.microsoft.com> wrote in message
news:34E3A564-3F3F-4980-A941-8A9D75566A34@microsoft.com...
> Hello All,
>
> I'm new to W2K and I hope you can help me.
>
> I was wondering if there was a script (VB or batch file) that I can run on
> my Windows 2000 DC that will enumerate all accounts that have a blank
> password? I do not want to use L0phtcrack or anything similar as I do not
> want to know the password that any other account is using - only the
> accounts with a blank password. Is there an easy way to do this?
>
> Thanks in advance,
>
> Mike


Top

Re: W2K Blank Passwords? by anonymous

anonymous
Mon Apr 19 06:21:04 CDT 2004

Hello Dave

MBSA will not scan the Active Directory user accounts - it only scan's local accounts on a server/PC. Any other ideas

Mike
Top

Re: W2K Blank Passwords? by Dave

Dave
Tue Apr 20 16:06:20 CDT 2004

You're right - I never dug into this far enough to check exactly what the
MBSA scans. It's not local accounts - there aren't any on a domain
controller - but the results are strange. I ran it against my SBS, and it
came up with some security groups, one user account, and the iusr and iwam
accounts of two servers out of three. Anyway, useless for your purposes.

Anyway, sorry, no, I don't have any better ideas than that. Have you looked
in your domain security policy to see if there are any password requirements
there? I noticed my minimum password length got set to 5 somehow (we
upgraded the domain from SBS 4.5, so it could have been a policy that
carried over from NT, or it could have been a default in SBS 2k setup). I
still like the idea of setting password requirements with GP - eliminating
blank passwords won't help with single-character passwords, any of a list of
common passwords (such as "password"), etc. A friend would always set his
password to be an apostrophe, because it's right next to the enter key - not
much better than blank.



"Mike Newell" <anonymous@discussions.microsoft.com> wrote in message
news:1277994C-B317-4D25-AA6E-92D8F2A6FA13@microsoft.com...
> Hello Dave,
>
> MBSA will not scan the Active Directory user accounts - it only scan's
> local accounts on a server/PC. Any other ideas?
>
> Mike


Top