Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Local accounts and Group Policy

Section(s): Security
Published on Jan 17, 2006.
Last Modified on Jan 17, 2006.
Last Modified by Mitch Tulloch.
Rated 2.5 out of 5 based on 2 votes.

Group Policy can be a minefield and some policy settings are best left unchanged...

Group Policy can be a minefield and some policy settings are best left unchanged. A good example of this is the following policy setting:

Accounts: Limit local account use of blank passwords to console logon only

This policy is found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and the default value of this setting is Enabled. That means any local user accounts on your machine that have blank passwords cannot be used to remotely access your machine from over the network, and this is good as it helps defeat certain kinds of network attacks against your machine.

This is one policy you shouldn't change, and yet people often do this for various reasons, usually to get some remote app running with no password to make it easier to use. Bad idea! If you need to disable this policy in order to make a program work, you probably shouldn't be using that program in the first place.

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .