Local accounts and Group Policy

by Mitch Tulloch [Published on 17 Jan. 2006 / Last Updated on 17 Jan. 2006]

Group Policy can be a minefield and some policy settings are best left unchanged...

Group Policy can be a minefield and some policy settings are best left unchanged. A good example of this is the following policy setting:

Accounts: Limit local account use of blank passwords to console logon only

This policy is found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and the default value of this setting is Enabled. That means any local user accounts on your machine that have blank passwords cannot be used to remotely access your machine from over the network, and this is good as it helps defeat certain kinds of network attacks against your machine.

This is one policy you shouldn't change, and yet people often do this for various reasons, usually to get some remote app running with no password to make it easier to use. Bad idea! If you need to disable this policy in order to make a program work, you probably shouldn't be using that program in the first place.

Featured Links