Solved

change password property in AD

Posted on 2012-03-21
6
357 Views
Last Modified: 2012-03-22
In AD users and computers , I was checking a user account and viewed their properties, if you go onto the security tab of properties, go down to everyone, it has change password ticked in grey? Does that mean everyone can change this users password?

And if so can they do that with NET commands or would they need access to ADUC console?

I need to check this is an issue before reporting it! Is it as simple in ADUC as right clicking the account and "reset password"? And applying a new one?

Is there anyway to run a monster report to see any other accounts where the everyone group can change their password!
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 167 total points
ID: 37748412
http://support.microsoft.com/kb/242795
To maintain security, users can only change the password if they know the current password.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 167 total points
ID: 37748599
Change password is not the same as Reset Password. The change password permission is granted to everyone and as tmassa99 notes, it requires that you first know the existing password to do so. A change password event is issued from a client when you press Ctrl-alt-del and press the Change Password button. You cannot reset a password in ADUC unless you have the Reset Password permission assigned to your account on a specific object in AD.
0
 
LVL 3

Author Comment

by:pma111
ID: 37748607
So its not really an issue? I suspect 'reset password' is more risky?
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 40

Expert Comment

by:Adam Brown
ID: 37748621
It's not an issue. Reset Password permissions given to everyone *could* be a problem, but change password isn't. The Reset Password permission allows password changes without knowledge of the existing password. This is given only to administrative accounts by default.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 166 total points
ID: 37748720
I concur - the change password allows the user to change their own password.
reset password allows the user to reset someone else's password
0
 
LVL 3

Author Comment

by:pma111
ID: 37748824
Are there any easy ways to identify in bulk if reset passwords been granted to anyone outside the admin group? Like a report feature or a query in aduc?
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question