The world's most trusted forum on Active Directory Security
Hello again. I would also like to know what is the difference between the Change Password and the Reset Password extended rights in Active Directory?
My understanding is that the former is needed to change one's own password, and the other is needed to reset someone else's password. Is this correct?
The question was prompted on our findings that Everyone was given the Change Password right in our Active Directory and that quite a few admin groups were given the Reset Password extended right.
We are in the middle of an Active Directory clean-up and I thought it might be good to get some clarity on exactly how these rights work in Active Directory.
Wherever you go and whatever you do, may the luck of the Irish be there with you.
Your understanding is correct. The Change Password extended right is what enables users to change their own password, and the Reset Password extended right is what enables Help Desk personnel to be able to reset a user's password.
In general, it helps to understand the difference the requirements for changing a password and resetting a password, which is as follows -
I. A Change Password operation is designed to be performed by the end user him/herself and it requires knowledge of the current password.
II. In contrast, the Reset Password operation is designed for the IT support function and it does NOT require knowledge of the current password.
There are some important observations that can be made here -
1. In the absence of additional authentication factors, the password is the only thing that gates the the use of a user account, so if you could either change it, or reset it, you could in effect take over the user account.
2. In general, for hackers, it is much easier to just reset a user's password than brute-force it or try to guess it, because it is so much easier to try and find out who can reset an account's password since all domain user account holders already have almost unlimited read-access in Active Directory.
3. That is why the Reset Password is an administrative task, and the ability to reset passwords should not be distributed/delegated indiscriminately.
4. It is also very important to know at all time who can reset the password of every user account in the Active Directory. Unfortunately, trying to find out who can reset whose passwords is not very easy in Active Directory.
5. It is equally important to note that it is not sufficient to merely look for security permissions granting users/groups the Reset Password extended right because permissions in Active Directory do not work in isolation. (Basically you need to determine the resultant-set-of-permissions to get the true picture.)
I think you're on the right track and I would only suggest that instead of trying to find which groups may have the Reset Password extended right granted, you instead determine resultant-access on your Active Directory domain user accounts to find out who can actually reset domain user account passwords.
Hope that helps.
That's a very good explanation of the difference between the Change Password and Reset Password extended rights.
In my experience, I have foudn that many IT managers still struggle with understanding this difference. I see this all the time while helping some of our customers.
In particular, they are often required to show who all can reset the password of the CFO's account for example, and are unable to do so, because they don't know how to do this.
I have seen so many companies just submit a listing of the entire ACL as documentation. Now that of course is not accurate at all, but most times the auditors also don't know better, so accept it as sufficient!
Thanks for clarifying the difference so clearly.
Thank your for answering my question in such great detail. I clearly understand the difference now. Thanks also for sharing your observations, which are very insightful.
In regards to trying to determine resultant-access on our Active Directory domain user accounts to find out who can actually reset domain user account passwords, do you happen to know of any easy way to do this?
If so, could you please share, as that would be most helpful?
Thanks very much.
As I pointed out earlier, trying to find out who can reset whose passwords in Active Directory is quite difficult, which is why there are hardly any tools that can help in this regard.
There is only one tool that I know of that can do this, but before I mention it, I just wanted to share a note of caution with you.
Caution: There are many tools that claim to show you "Who can do what" but they are only showing you "Who has what permissions" so you still have to do the whole resultant-access calculation yourself, so just be aware of any misleading vendors out there who claim to show you "Who can do what."
So, the only tool I know of that can show you who can reset whose passwords is Gold Finger Mini - www.paramountdefenses.com/goldfinger_mini
Here is a snapshot I copied from the vendor's site -
Its incredibly powerful and very easy to use - you just use the inbuilt search utility to find a user account, then click a button, and it'll show you who can actually reset the selected user account's password, in seconds.