Local accounts and Group Policy

by Mitch Tulloch [Published on 17 Jan. 2006 / Last Updated on 17 Jan. 2006]

Group Policy can be a minefield and some policy settings are best left unchanged...

Group Policy can be a minefield and some policy settings are best left unchanged. A good example of this is the following policy setting:

Accounts: Limit local account use of blank passwords to console logon only

This policy is found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and the default value of this setting is Enabled. That means any local user accounts on your machine that have blank passwords cannot be used to remotely access your machine from over the network, and this is good as it helps defeat certain kinds of network attacks against your machine.

This is one policy you shouldn't change, and yet people often do this for various reasons, usually to get some remote app running with no password to make it easier to use. Bad idea! If you need to disable this policy in order to make a program work, you probably shouldn't be using that program in the first place.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links