Solved

change password property in AD

Posted on 2012-03-21
6
353 Views
Last Modified: 2012-03-22
In AD users and computers , I was checking a user account and viewed their properties, if you go onto the security tab of properties, go down to everyone, it has change password ticked in grey? Does that mean everyone can change this users password?

And if so can they do that with NET commands or would they need access to ADUC console?

I need to check this is an issue before reporting it! Is it as simple in ADUC as right clicking the account and "reset password"? And applying a new one?

Is there anyway to run a monster report to see any other accounts where the everyone group can change their password!
0
Comment
Question by:pma111
6 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 167 total points
Comment Utility
http://support.microsoft.com/kb/242795
To maintain security, users can only change the password if they know the current password.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 167 total points
Comment Utility
Change password is not the same as Reset Password. The change password permission is granted to everyone and as tmassa99 notes, it requires that you first know the existing password to do so. A change password event is issued from a client when you press Ctrl-alt-del and press the Change Password button. You cannot reset a password in ADUC unless you have the Reset Password permission assigned to your account on a specific object in AD.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So its not really an issue? I suspect 'reset password' is more risky?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
It's not an issue. Reset Password permissions given to everyone *could* be a problem, but change password isn't. The Reset Password permission allows password changes without knowledge of the existing password. This is given only to administrative accounts by default.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 166 total points
Comment Utility
I concur - the change password allows the user to change their own password.
reset password allows the user to reset someone else's password
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Are there any easy ways to identify in bulk if reset passwords been granted to anyone outside the admin group? Like a report feature or a query in aduc?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now