Avatar of Cyber-EE
Cyber-EE asked on

Calling 'NetUserChangePassword' for changing other user password

I have user Target and Changer on domain (one of the following servers: 2000,2003 and 2008)
In my program (C/C++), I perform a logon via the function 'WNetAddConnection2' with  user Changer user and then I call 'NetUserChangePassword' with the Target user...
This works fine, BUT:
I want to know how is it possible that even a limited user can do such an operation (logon via 'WNetAddConnection2' and then change pass with 'NetUserChangePassword' for the target user)
In the MSDN it clearly says:
"The default ACL permits only Domain Admins and Account Operators to call this function. On a member server or workstation, only Administrators and Power Users can call this function."
=> how a limited user make this operation succeeded?

Pls let me know what you think.

OS SecurityMicrosoft Development

Avatar of undefined
Last Comment

8/22/2022 - Mon

Well, as you have correctly concluded from the MSDN docs, a limited user cannot do that - that is, the user in question could log on as a different account using 'LogonUser()' and then call that API, but this kinda defeats the purpose....

so, how come it works?!
I'm trying to find out I didn't get the relevant error for that....
anyone has some idea?

What kind of account are you using with 'WNetAddConnection2()'?
Your help has saved me hundreds of hours of internet surfing.

I using a limited user.
but now I have a bigger issue - pls note:
In the MSDN for NetUserChangePassword there is a note:
"Windows NT:  A server or domain can be configured to require a user to log on before changing the password on a user account. In that case, only members of the Administrators or Account Operators local group or the user can change the password for a user account. If logon is not required, a user can change the password for any user account, as long as the user knows the current password."

This is the exact scenario I'm having.
I just want to know, why the MSDN specifies only win NT? Is it possible that this is the behavior for other OS?  where can I find a documentation for that?



I found something in MS support:
In the example code they gave, they wrote this:
Username is argv[1]
   new password is argv[2]
   optional target machine (or domain name) is argv[3]
   optional old password is argv[4]. This allows non-admin password
   Note that admin or account operator privilege is required on the
   target machine unless argv[4] is present and represents the correct
   current password.

So I think it might be it.
I'm waiting for your responses.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question