Review the password required status for enabled user accounts.Open "PowerShell".Domain Controllers:Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled".Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding.Member servers and standalone or nondomain-joined systems:Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'.Exclude disabled accounts (e.g., DefaultAccount, Guest).If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.

Configure all enabled accounts to require passwords.The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.