Problem with password local security policy

[Guest]

At my company we have several systems that are stand alone windows 2000 pro
workstations. We have the local security policy set so that you have to put a
password in that is 9 characters long. If you go to local user and groups and
create a new user, it will not finish or complete if you do not assign a
password that is a least 9 characters long.
We found today that if you open the user and password applet in the control
panel and click add under the user tab and go through the new user wizard, it
will allow you to assign a blank password. This can only be done if the
account is created by a administrator.
What I need to know is why does it allow it when you use the applet and not
when you use the local user and groups interface and is there a way to
disable or set it so that you cannot easliy create a new user with no
password.
These systems are for use in a closed environment and the company does not
like that you can so easily create a blank password account.
Any suggestions will be appreciated.
Thanks
Glenn

 

[Guest]

Same thing described in this thread that I started..

http://www.microsoft.com/windowsxp/...&tid=fa69fa9f-9ab9-4992-834a-e7d3d4327adc&p=1

I'm guessing the only answer is to not allow access to that control panel
applet. Even then it can still be invoked by "control userpasswords"

 

[Steven L Umbach]

That seems to be the way it works in Windows 2000. The only thing I can
suggest is that you use Group Policy to hide Control Panel applets that you
do not want the users to see under user configuration/administrative
templates/control panel and train them to use lusrmgr.msc to use
stead.. --- Steve

 

[Steven L Umbach]

In such case you could change the ntfs permissions on control.exe or add it
to the blacklisted applications in Group Policy under user
configuration/administrative templates/system - don't run specified Windows
applications. --- Steve

 

[Steven L Umbach]

On second thought scratch that idea as it probably will interfere with other
functionality on the computer. You could however use something like fiilemon
which is free from SysInternals to try and track down an executable/file
that can be modified or removed from the computer that will prevent the user
from using that. --- Steve

 

[Steven L Umbach]

On third thought disabling access to control.exe would be a viable solution
to prevent use of control userpasswords. I am having a rough start to the
day. I usually test out such recommendations and what I mistakenly did was
add control.exe to the list of "run only allowed Windows applications" and
I was wondering why nothing seemed to work! Well I remedied that and all is
well now since I added it to the "don't run specified Windows applications"
list and undefined the run only allowed Windows applications list. Sorry
for the confusion. --- Steve