Passprop Signature

[Andrew Skatoff]

MSFT Technicians,

Can someone tell me how to determine is passprop has been used to allow a
server's local admin account to be locked out?
I have searched high and low but I can't find any documentation on what
registry or .dll changes occur when this tool is used.

Please help!

 

[Matt Scarborough]

On Fri, 5 Dec 2003 10:43:48 -0500, Andrew Skatoff wrote

Can someone tell me how to determine is passprop has been used to allow a
server's local admin account to be locked out?

Passprop with no arguments returns the existing settings, i.e., on a default install we would
see

C:\>passprop.exe
Passwords may be simple
The Administrator account may not be locked out.

I have searched high and low but I can't find any documentation on what
registry or .dll changes occur when this tool is used.

Within the "F" value at
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account,
a binary value's bitmask defines the password policy, e.g.,

Offset 0x004C

/noadminlockout /simple 00000000
/adminlockout /simple 00001000
/noadminlockout /complex 00000001
/adminlockout /complex 00001001

This value really needs to be changed programmatically with a tool such as passprop.exe. Manual
or offline changes could result in an unusable system.

Matt Scarborough 2003-12-07