I have the local security policy set to require a minimum password length of 10 characters. On a computer that is not part of a domain, and using the local admin account:
Scenario 1: If a user is created via Control Panel -> Administrative Tools -> Computer Management -> Local Users and Groups with a blank password, the system complains and prevents the account from being created.
Scenario 2: If a user is created via Control Panel -> User Accounts with a blank password, the system allows the account to be created with no problems (with admin rights). You can then log on to the system, with the blank password, but are forced to change it.
Why is the system allowing the account to be created with a blank password in the second scenario? How can it be prevented (policy, registry hack, etc)?
Thanks
I think you can deny access to the User Accounts Applet via GPO or Local Policy. At least in that way you can be sure that the vector you are aware of cannot be taken advantage of.
Are you sure the policy applies? RSOP should allow you to see exactly what is managing the policy and how it applies
I think the policy against blank passwords only applies to users changing their own passwords. One way to ensure that newly created accounts don't fall victim to this would be to look at the password complexity rules and turn these on too.