Reference article:

Explanation in the article above.

So basically you will have to make sure that your computer/user provisioning script override this attribute by removing the bit ADS_UF_PASSWD_NOTREQD from useraccountcontrol for every computer/user created.

This is typically automatically done by tools such as the ADUC, but apparently not by old style tools or scripts.

The reference article above; provide script to remove this PASSWD_NOTREQD bit.


Hopefully you do not have accounts with ADS_UF_PASSWD_NOTREQD.

You could still have accounts with blank passwords in case you had a domain password policy with no minimum password length.

To fix this you have to :

  • make sure your password policies are in line with your security policy
  • verify that users are required to change their passwords
  • verify that users don´t have “Password never expires” ticked in.