You can use the UserAccountControl property of an Active Directory user object to enable and disable all kinds of neat functionality: https://support.microsoft.com/en-ca/kb/305144. One of the things you can enable is for a user to have no password (bit in the 32 position).
While this only impacts users who connect to the console, and it doesn’t mean that a user doesn’t have a password (just that they might), it’s pretty bad to leave that enabled for any users you’ve got.
Here’s an easy one-liner to get a list of users with this problem.
1 |
get-aduser -filter "useraccountcontrol -band 32" -properties useraccountcontrol |
This shows you all the users in your domain whose password not required flag is set.
Here’s an easy way to fix it indiscriminately! Pipe the last command into…
1 |
| foreach-object { Set-ADAccountControl $_.samaccountname -PasswordNotRequired $false } |