Empty password in Active Directory despite activated password policy

Lately we found a security gap in Active Directory. We noticed that some accounts in Active Directory were active, but contained an empty password. This should not be possible if a valid password policy is in place. This is at least what I thought…

Why do I get an empty password in Active Directory?

Active accounts with empty passwords are a security gap in my eyes and should just not be possible.
To answer the question we it does happen and how to avoid it, we need to take a look at the UserAccountControl attribute.
 

“UserAccountControl” – Attribute

I found out that the reason for an empty password in Active Directory can be found here – in the UserAccountControl Attribute.
In this attribute the flag “PASSWD_NOTREQD” can be set. If this flag is set, a domain administrator can issue an empty password, evading the password policy. The user is not able to do this.

In Active Directory you can search for the accounts with the respective flags set.
The following LDAP filter will search for accounts which are active but have the flag “PASSWD_NOTREQD” set.

For accounts with the flag “PASSWD_NOTREQD” set, the attribute “UserAccountControl” has the value 544.
The standard value for the attribute “UserAccountControl” (when setting up the account) is 512. The flag “PASSWD_NOTREQD” increases this value by 32 to 544.

How to set the “PASSWD_NOTREQD” flag

The “PASSWD_NOTREQD” flag can be set

• when migrating from NT4.
• If you use the methods IADsContainer.Create, IADs.Put or IADs.SetInfo
• when as user is created by  means of ADSIEDIT.MSC

Under the following link you will find a description how the attribute “UserAccountControl” can be “liberated” from this flag: http://technet.microsoft.com/en-us/library/ee617249.aspx

A description of the attribute “UserAccountControl” is available under:
http://support.microsoft.com/kb/305144.