- Does Microsoft ATA detects when the minPwdLength attribute on the AD roots get downgraded to a lower value, such as 0. (This allows users to create accounts without a password, and reset their password to a <blank> one.)
- Does Microsoft ATA detects when the userAccountControl value gets modified to 544?
You can combine this by denying the ''Read userAccountControl'' for Everyone first and then start to modify the value to 544 to be able to reset the account to a <blank> password.
Users won't see this value in ADUC or through LDAP.