?
Solved

net user weakuser newpa$$word /domain gets access denied - why?

Posted on 2014-03-18
8
Medium Priority
?
511 Views
Last Modified: 2014-04-15
Hi experts.

First: please be aware that this question is not that easy and that wild guesses are likely to be ignored. You should try any suggestion yourself prior to making it.

Setup: Domain Controller on 2008 R2 or (if you like) on 2012 R2 (maybe 2003, haven't tested)
Clients: does not matter, anything you have
1) users may change their Password interactively using CTRL-Alt-Del
2) domain administrators may change anyone's password using the shell command
net user someuser newpa$$word /domain
3) standard users get "access denied" trying 2)

**now for the interesting part, the reason why I am asking**

4) standard users that use passwd.exe (a freeware alternative command line password changer) may successfully change their password.

Why is that so? What does passwd.exe do that net.exe cannot? Has Microsoft crippled net.exe for some reason?
--

Why do I need this: Because we would like to use script-based self-invoked password changing with standard user accounts and hoped not to use 3rd party utilities for that.

Find passwd.exe attached, change .doc to .exe
passwd.doc
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
8 Comments
 
LVL 56

Author Comment

by:McKnife
ID: 39938612
Edit: I am aware that the difference between net.exe and passwd.exe is fundamental: while net.exe does not need to know the old password, passwd.exe cannot do without. Effectively, that makes net.exe's action a password RESET, while passwd.exe SETS a password.

At the ACLs of the user objects I have  tried to modify granular permissions so the "self" account may reset the password but to no avail. Not before I gave full access to the "self" account could users successfully use net.exe.

Question is indeed: what granular permission is needed for RESET?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39938623
Net.exe does not allow standard user accts to submit password changes via this method by design.

http://support.microsoft.com/kb/149427
0
 
LVL 56

Author Comment

by:McKnife
ID: 39938633
Yes and no. While the symptoms are characterized correctly, MS does not mention that users may indeed reset their pw if they are only granted a certain access right to their own user object... which is what I am trying to find out.
What is needed to not only be able to change but to reset a password? "reset password" is present as granular privilege nut granting it does not change anything.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39938677
Once you tick the Reset Password right in ADUC, you have to use something that is LDAP aware to reset the user password.

Net.exe is not LDAP aware. So some admins use a vb script (with the ldap info populated) to do it.
0
 
LVL 56

Author Comment

by:McKnife
ID: 39938975
How come he can use net.exe if I give him full access to his own object?
0
 
LVL 56

Author Comment

by:McKnife
ID: 39967855
Schuyler Dorsey, why is net.exe only usable with full permissions on the object? If it were LDAP-aware, how would it use this "awareness"?
0
 
LVL 56

Accepted Solution

by:
McKnife earned 0 total points
ID: 39993410
No progress was made, closing.
To have at least done something, I have investigated how to workaround this using a powershell script - for anybody interested:
--
Function Set-AdUserPwd ([string]$user,[string]$pwd) {
    $objSearch = New-Object System.DirectoryServices.DirectorySearcher 
    $objSearch.Filter = "(SamAccountName=$user)"
    $allUsers = $objSearch.FindOne()
    foreach ($user in $allUsers) {
    	$o = $user.GetDirectoryEntry()
        $o.Invoke("SetPassword",$pwd)
        $o.CommitChanges()
    }
}
Set-AdUserPwd -user $env:USERNAME -pwd "Passw0rd"

Open in new window

0
 
LVL 56

Author Closing Comment

by:McKnife
ID: 40001111
No progress was made, closing.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses
Course of the Month11 days, 15 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question