change password property in AD

In AD users and computers , I was checking a user account and viewed their properties, if you go onto the security tab of properties, go down to everyone, it has change password ticked in grey? Does that mean everyone can change this users password?

And if so can they do that with NET commands or would they need access to ADUC console?

I need to check this is an issue before reporting it! Is it as simple in ADUC as right clicking the account and "reset password"? And applying a new one?

Is there anyway to run a monster report to see any other accounts where the everyone group can change their password!
LVL 3
pma111Asked:
Who is Participating?
 
Tony MassaCommented:
http://support.microsoft.com/kb/242795
To maintain security, users can only change the password if they know the current password.
0
 
Adam BrownSr Solutions ArchitectCommented:
Change password is not the same as Reset Password. The change password permission is granted to everyone and as tmassa99 notes, it requires that you first know the existing password to do so. A change password event is issued from a client when you press Ctrl-alt-del and press the Change Password button. You cannot reset a password in ADUC unless you have the Reset Password permission assigned to your account on a specific object in AD.
0
 
pma111Author Commented:
So its not really an issue? I suspect 'reset password' is more risky?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Adam BrownSr Solutions ArchitectCommented:
It's not an issue. Reset Password permissions given to everyone *could* be a problem, but change password isn't. The Reset Password permission allows password changes without knowledge of the existing password. This is given only to administrative accounts by default.
0
 
Brian PiercePhotographerCommented:
I concur - the change password allows the user to change their own password.
reset password allows the user to reset someone else's password
0
 
pma111Author Commented:
Are there any easy ways to identify in bulk if reset passwords been granted to anyone outside the admin group? Like a report feature or a query in aduc?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.