change password property in AD

In AD users and computers , I was checking a user account and viewed their properties, if you go onto the security tab of properties, go down to everyone, it has change password ticked in grey? Does that mean everyone can change this users password?

And if so can they do that with NET commands or would they need access to ADUC console?

I need to check this is an issue before reporting it! Is it as simple in ADUC as right clicking the account and "reset password"? And applying a new one?

Is there anyway to run a monster report to see any other accounts where the everyone group can change their password!
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony MassaCommented:
http://support.microsoft.com/kb/242795
To maintain security, users can only change the password if they know the current password.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam BrownSr Solutions ArchitectCommented:
Change password is not the same as Reset Password. The change password permission is granted to everyone and as tmassa99 notes, it requires that you first know the existing password to do so. A change password event is issued from a client when you press Ctrl-alt-del and press the Change Password button. You cannot reset a password in ADUC unless you have the Reset Password permission assigned to your account on a specific object in AD.
pma111Author Commented:
So its not really an issue? I suspect 'reset password' is more risky?
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Adam BrownSr Solutions ArchitectCommented:
It's not an issue. Reset Password permissions given to everyone *could* be a problem, but change password isn't. The Reset Password permission allows password changes without knowledge of the existing password. This is given only to administrative accounts by default.
Brian PiercePhotographerCommented:
I concur - the change password allows the user to change their own password.
reset password allows the user to reset someone else's password
pma111Author Commented:
Are there any easy ways to identify in bulk if reset passwords been granted to anyone outside the admin group? Like a report feature or a query in aduc?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.