Accounts: Limit local account use of blank passwords to console logon only

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Accounts: Limit local account use of blank passwords to console logon only

Description

This security setting determines whether local accounts that are not password protected can be used to logon from locations other than the physical computer console. If enabled, then local accounts that are not password protected will only be able to log on at the computer's keyboard. This security setting does not apply to guest accounts.

Default: Enabled.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.

Caution

  • Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on using a user account that does not have a password. This is especially important for portable computers.

  • If you apply this security policy to the Everyone group, no one will be able to log on through terminal services.

Notes

  • This setting does not affect logons that use domain accounts.

  • It is possible for applications that use remote interactive logons to bypass this setting.

For more information, see: