Every account in Active Directory has multiple attributes representing its security configurations. When misconfigured, these attributes can make these account more susceptible to cyber attacks. Setting these attributes in accordance to security best practices can greatly increase the security posture of your accounts.
A user or an application that relies on these types of unsecure account configurations may stop functioning.
According to defender for identy suggestion, the following user needs this fix.
He gives us the details of the fix.
With the following powershell command we can detect users who can log in without a password
Get-ADUser -Filter {PasswordNotRequired -eq $true} -Properties PasswordNotRequired | Select-Object Name, SamAccountName, DistinguishedName
Get-ADUser -Filter {PasswordNotRequired -eq $true}
The adm.defender user appears to be configured as insecure so that it can log in without a password.
You can see how we can make it more secure by following the steps below.
Active Directory Users and Computers (ADUC) > View > Advanced Features
User > Properties
Attribute Editor > UserAccountControl
List of property flags
Edit > Value : 512 > Ok
Apply > Ok
Our user has been configured to be more secure. If we had not done this configuration, the user would have been able to log in without a password, which would have created a security risk.
References
