Avatar of Cyber-EE
Cyber-EE asked on

Calling 'NetUserChangePassword' for changing other user password

Hi,
I have user Target and Changer on domain (one of the following servers: 2000,2003 and 2008)
In my program (C/C++), I perform a logon via the function 'WNetAddConnection2' with  user Changer user and then I call 'NetUserChangePassword' with the Target user...
This works fine, BUT:
I want to know how is it possible that even a limited user can do such an operation (logon via 'WNetAddConnection2' and then change pass with 'NetUserChangePassword' for the target user)
In the MSDN it clearly says:
"The default ACL permits only Domain Admins and Account Operators to call this function. On a member server or workstation, only Administrators and Power Users can call this function."
=> how a limited user make this operation succeeded?

Pls let me know what you think.

tx,
shlom
OS SecurityMicrosoft Development

Avatar of undefined
Last Comment
Computer101

8/22/2022 - Mon
jkr

Well, as you have correctly concluded from the MSDN docs, a limited user cannot do that - that is, the user in question could log on as a different account using 'LogonUser()' and then call that API, but this kinda defeats the purpose....
ASKER
Cyber-EE

so, how come it works?!
I'm trying to find out I didn't get the relevant error for that....
anyone has some idea?
tx
jkr

What kind of account are you using with 'WNetAddConnection2()'?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Cyber-EE

I using a limited user.
but now I have a bigger issue - pls note:
In the MSDN for NetUserChangePassword there is a note:
"Windows NT:  A server or domain can be configured to require a user to log on before changing the password on a user account. In that case, only members of the Administrators or Account Operators local group or the user can change the password for a user account. If logon is not required, a user can change the password for any user account, as long as the user knows the current password."

This is the exact scenario I'm having.
I just want to know, why the MSDN specifies only win NT? Is it possible that this is the behavior for other OS?  where can I find a documentation for that?

tx

ASKER
Cyber-EE

I found something in MS support:
http://support.microsoft.com/kb/151546
In the example code they gave, they wrote this:
Username is argv[1]
   new password is argv[2]
   optional target machine (or domain name) is argv[3]
   optional old password is argv[4]. This allows non-admin password
   changes.
   Note that admin or account operator privilege is required on the
   target machine unless argv[4] is present and represents the correct
   current password.

So I think it might be it.
I'm waiting for your responses.
s.
ASKER CERTIFIED SOLUTION
Computer101

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question