Change any user password

[Mini123]

Found a security problem

When you get your password is going to expire warning and you choose to change it when you get the change password box you can enter another users user name and their existing password and change it.

How can this be stopped?

[cconk01]

The best way to stop it would ensure your password isnt known by others. In order for that to work you have to type in your current password and then your new password. If you dont know the users password you cant change it.

[Mini123]

My domain has the domain name blacked out is there a function to black out the user name or make sure that the box is empty?

[JuMz]

you can enter another users user name and their existing password and change it.

How can this be stopped?

Well, the user shouldn't know another users name and password??

[HyperHacker]

Yeah, if you know their password, you've already breached all manner of security.

[nmX.Memnoch]

Agreed..."blacking out" the user name wouldn't do any good. If you know the password already there's nothing stopping you from logging in as that user and changing the password. Sharing passwords is one of the biggest security problems there is...it's a matter of educating your users not to do this.

Edited April 24, 2006 by nmX.Memnoch

[Mini123]

Agreed..."blacking out" the user name wouldn't do any good. If you know the password already there's nothing stopping you from logging in as that user and changing the password. Sharing passwords is one of the biggest security problems there is...it's a matter of educating your users not to do this.

The user cant change their password in windows that is not an option on the control alt delete menu.

But they can sure make life harder for the admins just thought there might be a method to blocking it out to make it harder for the end user to change their password

[nmX.Memnoch]

I'm having a hard time understanding why you would want to keep them from changing their password. Most places require that passwords be changed on a schedule (usually at most every 90 days). It's good security practice to change them as often as possible without it being annoying.

[Mini123]

Ok,

I am in a domain at work

I get a warning every month ish telling me my password will expire

When i click yes to change the password i get a windows default change password screen i can take out my user name of the user name box and put another users in and change theirs

I am going to tell the admin but i need to know if there is a way to black out the user name box or stop it being edited so i can help my administrator

Hope thats a bit clearer

I don't want the user to not be able to change their password just stop them changing other users passwords

Edited April 25, 2006 by Mini123

[nmX.Memnoch]

Well the next question would be...

Why do you know other users' passwords? That in and of itself is the problem.

[Mini123]

I don't this is a student environment so people are going to try and get on other user accounts to delete files to get back at other people

I don't know any passwords

[nmX.Memnoch]

You're misunderstanding how the Change Password screen works.

You have to know the current password before you can change it to a new one. So don't worry, you can't just put in a user name and change the password.

[Mini123]

I know how the screen works

All i am asking is there a command you can put into the domain security policy to black out the user name box or stop it being edited

[HyperHacker]

Hm, if you can change a different account's password at that prompt, I wonder if doing so would bypass the need to change your own?

[Mini123]

No you still get the expiry time if you change someone elses it doesnt reset yours