McKnife
asked on
net user weakuser newpa$$word /domain gets access denied - why?
Hi experts.
First: please be aware that this question is not that easy and that wild guesses are likely to be ignored. You should try any suggestion yourself prior to making it.
Setup: Domain Controller on 2008 R2 or (if you like) on 2012 R2 (maybe 2003, haven't tested)
Clients: does not matter, anything you have
1) users may change their Password interactively using CTRL-Alt-Del
2) domain administrators may change anyone's password using the shell command
net user someuser newpa$$word /domain
3) standard users get "access denied" trying 2)
**now for the interesting part, the reason why I am asking**
4) standard users that use passwd.exe (a freeware alternative command line password changer) may successfully change their password.
Why is that so? What does passwd.exe do that net.exe cannot? Has Microsoft crippled net.exe for some reason?
--
Why do I need this: Because we would like to use script-based self-invoked password changing with standard user accounts and hoped not to use 3rd party utilities for that.
Find passwd.exe attached, change .doc to .exe
passwd.doc
First: please be aware that this question is not that easy and that wild guesses are likely to be ignored. You should try any suggestion yourself prior to making it.
Setup: Domain Controller on 2008 R2 or (if you like) on 2012 R2 (maybe 2003, haven't tested)
Clients: does not matter, anything you have
1) users may change their Password interactively using CTRL-Alt-Del
2) domain administrators may change anyone's password using the shell command
net user someuser newpa$$word /domain
3) standard users get "access denied" trying 2)
**now for the interesting part, the reason why I am asking**
4) standard users that use passwd.exe (a freeware alternative command line password changer) may successfully change their password.
Why is that so? What does passwd.exe do that net.exe cannot? Has Microsoft crippled net.exe for some reason?
--
Why do I need this: Because we would like to use script-based self-invoked password changing with standard user accounts and hoped not to use 3rd party utilities for that.
Find passwd.exe attached, change .doc to .exe
passwd.doc
Net.exe does not allow standard user accts to submit password changes via this method by design.
http://support.microsoft.com/kb/149427
http://support.microsoft.com/kb/149427
ASKER
Yes and no. While the symptoms are characterized correctly, MS does not mention that users may indeed reset their pw if they are only granted a certain access right to their own user object... which is what I am trying to find out.
What is needed to not only be able to change but to reset a password? "reset password" is present as granular privilege nut granting it does not change anything.
What is needed to not only be able to change but to reset a password? "reset password" is present as granular privilege nut granting it does not change anything.
Once you tick the Reset Password right in ADUC, you have to use something that is LDAP aware to reset the user password.
Net.exe is not LDAP aware. So some admins use a vb script (with the ldap info populated) to do it.
Net.exe is not LDAP aware. So some admins use a vb script (with the ldap info populated) to do it.
ASKER
How come he can use net.exe if I give him full access to his own object?
ASKER
Schuyler Dorsey, why is net.exe only usable with full permissions on the object? If it were LDAP-aware, how would it use this "awareness"?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No progress was made, closing.
ASKER
At the ACLs of the user objects I have tried to modify granular permissions so the "self" account may reset the password but to no avail. Not before I gave full access to the "self" account could users successfully use net.exe.
Question is indeed: what granular permission is needed for RESET?