Overview #

If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set then No password is required.

PASSWD_NOTREQD property is not visible in the normal GUI tools (Active Directory Users and Computers)!

user-Account-Control Attribute Value attribute for an account Gill Bates is set to a decimal value of 544 (hex 220). The value is the sum of the individual property flags for the user-Account-Control Attribute Value of the User account.

A value of 544 (x220) indicates that the account has the following property flags set / enabled:

• NORMAL_ACCOUNT: decimal 512 (x200)
• PASSWD_NOTREQD: decimal 32 (x20)

Note that the PASSWD_NOTREQD property is represented by hex value x20, so any user-Account-Control Attribute Value of x20 has the PASSWD_NOTREQD flag set. Some examples of user-Account-Control Attribute Value, where the PASSWD_NOTREQD flag is set are:

• x020 - 032 - PASSWD_NOTREQD
• x220 - 514 - Enabled, PASSWD_NOTREQD
• x222 - 546 - Enabled, PASSWD_NOTREQD
• x40222 - 262690 - Disabled, Smartcard Required, PASSWD_NOTREQD

Clarifications#

PASSWD_NOTREQD flag simply means the account No password is required even if the Password Policy requires a non-zero length password. PASSWD_NOTREQD does NOT allow you to use an account that is expired regardless of the type of authentication.

PASSWD_NOTREQD does NOT imply there is no password, only that No password is required. If there is a password then the account cannot be used for an Anonymous bind. Since Windows Server 2003, by default, anonymous LDAP Messages other than Bind Request are disabled. (Note the distinction LDAP Messages other than Anonymous bind). Anonymous binds are permitted but, by default, the only Access is to the rootDSE. This allows anonymous access to the rootDSE as a Discovery Mechanism to then allow Authenticated binds.

Questions#

Ldapwiki have seen where IDM Vendor Products or other creation programs set PASSWD_NOTREQD to create the user, apply a Password then have failed to remove the flag.

Ldapwiki were able to perform a Anonymous bind as one of the users listed. (one with a pwdLastSet=0). So as Ldapwiki see it, there is no Vulnerability to Microsoft Active Directory, but could a user perform a bind with and empty password but using a DN of one of these users to access an application?

More Information #

There might be more information for this subject on one of the following:

• Active Directory RISK Related Searches
• Active Directory User Related Searches
• Dirxml-uACPasswordNotRequired
• INTERDOMAIN_TRUST_ACCOUNT
• User-Account-Control Attribute Values

---

• [#1] - Use the UserAccountControl flags to manipulate user account properties - based on information obtained 2022-03-29
• [#2] - PASSWD_NOTREQD = Access - based on information obtained 2022-03-29