Log users on without password AD Bind successful

[scheduledtask]

Hi there,

I have a primary school that has a single Mac machine running OSX 10.4.
My Apple skills are pretty limited but I have managed to bind it to Active Directory.
It can retrieve the users from AD and accounts can log in easy enough if they are password protected.
However none of the kids have passwords here and the head wishes it to remain that way. (Most are infants)

Basically I can't get the kids to log on, if I give them a password it works fine otherwise it refuses.
I feel I am missing something fairly simple and would be grateful for some help.

Regards

Graham

[kernewek-sam]

Perhaps someone with far better knowledge of Macs can suggest something better, but how about simple 1 character password that's the same for everyone? Or if they aren't saving to windows based storage, unbind the mac and create a generic account with no password (or set the account to auto-login in preferences) that they can all use and create a separate folder for each pupil on the desktop to save their work in.

Perhaps there is a simpler option and hopefully someone more skilled will be able to say what it is.

Sam

[AntonioRocco]

Hi

It's not recommended but I think you can configure AD's Password Policy to not require a Password. Have a closer look at the Server's Security Policies. One way or another an answer should be there?

HTH?

Antonio Rocco (ACSA)

[kernewek-sam]

Hi

It's not recommended but I think you can configure AD's Password Policy to not require a Password. Have a closer look at the Server's Security Policies. One way or another an answer should be there?

HTH?

Antonio Rocco (ACSA)

Change Active Directory Strong Password Policies « Everything SharePoint/Silverlight/WP7

[scheduledtask]

I didn't say earlier, the school are using Win 2008 R2 with XP clients and kids log on with no passwords.

Pretty sure I've set all the password policies to disabled or zero as required, however I'll have a closer look at the Default Domain Policy and double check the security settings in case I've missed something.
I'm due on site on Thursday and I'll report back.

Thanks so far.

[PiqueABoo]

I feel I am missing something fairly simple and would be grateful for some help.

Simple huh? I think this from LDAP RFC4513 and possibly others might have something to do with it:

Unauthenticated Bind operations can have significant security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients to request
Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
Unauthenticated Bind requests with a resultCode of
unwillingToPerform.

Empty passwords are obviously significant for this protocol. "Can of worms" springs to mind.

[Serving]

For a younger student it would be better to setup a local user with a simple finder... This will make a user they click to login and only show a list of apps for them to use. This is what I setup in the k-4 areas of my school.

[pete]

You can specify different password policies in AD from 2008 onwards (assumes you're on 2008 native domain and forest).

Read this as a starting point: Windows Server 2008 - Fine Grained Password Policy Walkthrough - The Sean Blog - Site Home - TechNet Blogs

That'll prevent adults choosing simple passwords, but let the kids have a default one.

[scheduledtask]

Simple huh? I think this from LDAP RFC4513 and possibly others might have something to do with it:

Duly noted.

I think the idea from Serving (it would be better to setup a local user with a simple finder...) will be worth looking into.

[PiqueABoo]

In your shoes I'd try that alternative too - don't have the energy to verify this, but it definitely looks like blanks passwords just don't mix with LDAP.

[HodgeHi]

For a younger student it would be better to setup a local user with a simple finder... This will make a user they click to login and only show a list of apps for them to use. This is what I setup in the k-4 areas of my school.

Personally I find using the Simple Finder with parental controls enabled a pain in the ass. When you open an application that has been restricted, DON'T choose the always allow option. It doesn't place the application in the list of allowed applications in the Parental Controls. I have looked for about 2 hours and still cannot find where OS X places the setting. I accidentally chose this option for the System Preferences application and now they can open it whenever they want. And it places a shortcut inside the allowed applications window for ease of access.

From my searching the only known way of reverting this is to delete the user and re-create the Parental Controls.