Cyber-EE
asked on
Calling 'NetUserChangePassword' for changing other user password
Hi,
I have user Target and Changer on domain (one of the following servers: 2000,2003 and 2008)
In my program (C/C++), I perform a logon via the function 'WNetAddConnection2' with user Changer user and then I call 'NetUserChangePassword' with the Target user...
This works fine, BUT:
I want to know how is it possible that even a limited user can do such an operation (logon via 'WNetAddConnection2' and then change pass with 'NetUserChangePassword' for the target user)
In the MSDN it clearly says:
"The default ACL permits only Domain Admins and Account Operators to call this function. On a member server or workstation, only Administrators and Power Users can call this function."
=> how a limited user make this operation succeeded?
Pls let me know what you think.
tx,
shlom
I have user Target and Changer on domain (one of the following servers: 2000,2003 and 2008)
In my program (C/C++), I perform a logon via the function 'WNetAddConnection2' with user Changer user and then I call 'NetUserChangePassword' with the Target user...
This works fine, BUT:
I want to know how is it possible that even a limited user can do such an operation (logon via 'WNetAddConnection2' and then change pass with 'NetUserChangePassword' for the target user)
In the MSDN it clearly says:
"The default ACL permits only Domain Admins and Account Operators to call this function. On a member server or workstation, only Administrators and Power Users can call this function."
=> how a limited user make this operation succeeded?
Pls let me know what you think.
tx,
shlom
Last Comment
jkr
Well, as you have correctly concluded from the MSDN docs, a limited user cannot do that - that is, the user in question could log on as a different account using 'LogonUser()' and then call that API, but this kinda defeats the purpose....
ASKER
so, how come it works?!
I'm trying to find out I didn't get the relevant error for that....
anyone has some idea?
tx
I'm trying to find out I didn't get the relevant error for that....
anyone has some idea?
tx
What kind of account are you using with 'WNetAddConnection2()'?
ASKER
I using a limited user.
but now I have a bigger issue - pls note:
In the MSDN for NetUserChangePassword there is a note:
"Windows NT: A server or domain can be configured to require a user to log on before changing the password on a user account. In that case, only members of the Administrators or Account Operators local group or the user can change the password for a user account. If logon is not required, a user can change the password for any user account, as long as the user knows the current password."
This is the exact scenario I'm having.
I just want to know, why the MSDN specifies only win NT? Is it possible that this is the behavior for other OS? where can I find a documentation for that?
tx
but now I have a bigger issue - pls note:
In the MSDN for NetUserChangePassword there is a note:
"Windows NT: A server or domain can be configured to require a user to log on before changing the password on a user account. In that case, only members of the Administrators or Account Operators local group or the user can change the password for a user account. If logon is not required, a user can change the password for any user account, as long as the user knows the current password."
This is the exact scenario I'm having.
I just want to know, why the MSDN specifies only win NT? Is it possible that this is the behavior for other OS? where can I find a documentation for that?
tx
ASKER
I found something in MS support:
http://support.microsoft.com/kb/151546
In the example code they gave, they wrote this:
Username is argv[1]
new password is argv[2]
optional target machine (or domain name) is argv[3]
optional old password is argv[4]. This allows non-admin password
changes.
Note that admin or account operator privilege is required on the
target machine unless argv[4] is present and represents the correct
current password.
So I think it might be it.
I'm waiting for your responses.
s.
http://support.microsoft.com/kb/151546
In the example code they gave, they wrote this:
Username is argv[1]
new password is argv[2]
optional target machine (or domain name) is argv[3]
optional old password is argv[4]. This allows non-admin password
changes.
Note that admin or account operator privilege is required on the
target machine unless argv[4] is present and represents the correct
current password.
So I think it might be it.
I'm waiting for your responses.
s.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Microsoft Development
Most development for the Microsoft platform is done utilizing the technologies supported by the.NET framework. Other development is done using Visual Basic for Applications (VBA) for programs like Access, Excel, Word and Outlook, with PowerShell for scripting, or with SQL for large databases.
48K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
