Overview #If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set, the user is not subject to a possibly existing policy regarding the length of password.
This implies the user could have shorter password than it is required or it may even have no password at all, even if empty passwords are not allowed. This property is not visible in the normal GUI tools (Active Directory Users and Computers)!
user-Account-Control Attribute Value attribute for an account Gill Bates is set to a decimal value of 544 (hex 220). The value is the sum of the individual property flags for the user-Account-Control Attribute Value of the User account.
A value of 544 (x220) indicates that the account has the following property flags set / enabled:
- NORMAL_ACCOUNT: decimal 512 (x200)
- PASSWD_NOTREQD: decimal 32 (x20)
- x020 - 032 - PASSWD_NOTREQD
- x220 - 514 - Enabled, PASSWD_NOTREQD
- x222 - 546 - Enabled, PASSWD_NOTREQD
- x40222 - 262690 - Disabled, Smartcard Required, PASSWD_NOTREQD
I have seen where IDM Vendor Products or other creation programs set PASSWD_NOTREQD to create the user then have failed to remove the flag.
Ldapwiki were able to perform a Anonymous bind as one of the users listed. (one with a pwdLastSet=0). So as Ldapwiki see it, there is no Vulnerability to Microsoft Active Directory, but could a user perform an bind with and empty password but using a DN of one of these users to access an application?