I had an interesting issue with a customer recently.
After a recent promotion of a couple of Domain Controllers , it came to light some time later that users were able to set their passwords to 0 e.g. minimum password length = 0.
On investigation what was discovered was the following.
When the Domain controller was promoted a secedit script was run. This had been part of a server build process for sometime. It was normally run on completion of the normal member server build was run.
What was included in the secedit.db script was the following critical entries to our discussion;
[Unicode] Unicode=yes [System Access] MinimumPasswordAge = 0 MaximumPasswordAge = 42 MinimumPasswordLength = 0 PasswordComplexity = 0 PasswordHistorySize = 0 LockoutBadCount = 0 RequireLogonToChangePassword = 0 ForceLogoffWhenHourExpire = 0
Secedit configuration that was run
copy x:\abc\xxx\secedit.db c:\secedit.sdb /y
secedit /configure /db c:\secedit.sdb /cfg x:\abc\xxx\xxxabc.inf /overwrite /log x:\abc\xxx\error.log /quiet
attrib +h c:\secedit.sdb
This script was run using Domain Admins credentials
The result of running this command After the Domain Controller was promoted was the following Behaviour;
The Default Domain Account Security settings were overwritten by the “new” Secedit.sdb settings above. This overwrote the settings that are getting applied via the Account Security section in the Default Domain Policy.
Note this is expected behaviour because of the way Domain Controller reads its Security settings.
Information below taken from a Gary Olsen blog of 2005.
“Domain controllers provide security settings to domain users at logon time. This is a critical (and confusing) concept. The user's machine doesn't pull the security settings from the GPO at startup as it does for other machine settings. The client gets the security settings when the user is validated. The security settings that domain controllers apply to clients upon a successful user logon are those that are stored in the DC's local secedit.sdb security database. The DC gets the Account Security settings from the domain policy and applies them to its local .sdb. Note that this applies only to the account security settings, not to any other policy setting. DCs then replicate their local .sdb with each other.”
Note: If you modify block the Default Domain Policy applying to the Domain Controllers it is likely to exhibit this behaviour. Especially if the blocking or modification of the secedit.sdb is leaving the Domain Controller with insecure settings.
Therefore DO NOT run any modification to the secedit.sdb on a Domain Controller. Also do not block the application of the Default Domain Policy to the Domain Controllers OU. Please see previous blog links for further information.
It can potentially have serious implications.
Other useful links
I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job!
venus factor reviews uk
Your article is extremely fascinating and amusing. From your article.
The post is written in very a good manner and it entails many useful information for me. I am happy to find your distinguished way of writing the post.
This is a really informative knowledge, Thanks for posting this informative Information.
I really enjoyed the quality information you offer to your visitors for this blog. I will bookmark your blog and have my friends check up here often.
It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content.
No more fear or worry involved as it certainly exhaust your love and energy in this unpredictable market. For more info, click here my website
Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject!
you've hit the nail on the head. Your blog is important; the issue is something that not enough people are talking intelligently about.
I’ll finally digg it further personally suggest to my buddys. I am steady they endow be benefited from this position.
Your articles help us realize that our problems are typical, and we can solve them in constructive ways.Thank you and keep these good articles coming !
I believe your blog is great because you are always uploading new information that is really informative as well as assists your readers.
Excellent read, Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work.
Fantastic work. This post possesses a real spirit of knowledge. The knowledge here seems unique and I have never known this kind of information in my entire life. This is a very rare post. You should definitely get an award for this.
We definitely taking pleasure in every single bit of this. It is just a great internet site and good write about. I wish to appreciate it. Great task! You guys perform a great blog, and have some great articles