Weak password encryption in Group Policy Preference

Hello,

Since Windows Server 2008, we are able to set local administrator password thanks to Group Policy Preference but, this “encryption” key is available on MSDN, so, anyone can read the clear text password with a few lines of PowerShell. Continue reading

Deny “Password Never Expire” for Everyone

Hello,

Hereunder a nice “feature” I just learned about :

It’s possible to deny the permission to tick the case “Password Never Expire”, while keeping the possibility to enable/disable the account, and manipulate the other bits of the “UserAccountControl”.

I think this is useful for help desk people and delegated administrators, to ensure they change their passwords regularly, without affecting their ability to work.

This is an ACL at the domain level :

Deny-PAssword-Unexpire-1

Note : This ACL is defaulted to “Allow”.

I just modified to deny this permissions, and try to tick that case with the “Administrator” account :

Deny-Password-UnexpireDeny-Unexpire-Admin

This case is click-able, but you can’t apply your modifications :

Deny-PAssword-Unexpire-2

You have some others permissions that can be pretty handy domain-wide :

Deny-Password-Unexpire-Other-Cool-Permissions