What is the difference between the Change Password and Reset Password extended right?
Hello again. I would also like to know what is the difference between the Change Password and the Reset Password extended rights in Active Directory?
My understanding is that the former is needed to change one's own password, and the other is needed to reset someone else's password. Is this correct?
The question was prompted on our findings that Everyone was given the Change Password right in our Active Directory and that quite a few admin groups were given the Reset Password extended right.
We are in the middle of an Active Directory clean-up and I thought it might be good to get some clarity on exactly how these rights work in Active Directory.
__________________
Wherever you go and whatever you do, may the luck of the Irish be there with you.
Your understanding is correct. The Change Password extended right is what enables users to change their own password, and the Reset Password extended right is what enables Help Desk personnel to be able to reset a user's password.
In general, it helps to understand the difference the requirements for changing a password and resetting a password, which is as follows -
I. A Change Password operation is designed to be performed by the end user him/herself and it requires knowledge of the current password.
II. In contrast, the Reset Password operation is designed for the IT support function and it does NOT require knowledge of the current password.
There are some important observations that can be made here -
1. In the absence of additional authentication factors, the password is the only thing that gates the the use of a user account, so if you could either change it, or reset it, you could in effect take over the user account.
2. In general, for hackers, it is much easier to just reset a user's password than brute-force it or try to guess it, because it is so much easier to try and find out who can reset an account's password since all domain user account holders already have almost unlimited read-access in Active Directory.
3. That is why the Reset Password is an administrative task, and the ability to reset passwords should not be distributed/delegated indiscriminately.
4. It is also very important to know at all time who can reset the password of every user account in the Active Directory. Unfortunately, trying to find out who can reset whose passwords is not very easy in Active Directory.
5. It is equally important to note that it is not sufficient to merely look for security permissions granting users/groups the Reset Password extended right because permissions in Active Directory do not work in isolation. (Basically you need to determine the resultant-set-of-permissions to get the true picture.)
I think you're on the right track and I would only suggest that instead of trying to find which groups may have the Reset Password extended right granted, you instead determine resultant-access on your Active Directory domain user accounts to find out who can actually reset domain user account passwords.
Hope that helps.
Nic++
-- Edited by Nicolas on Wednesday 15th of June 2011 08:17:12 PM
__________________
Bond: There’s a name to die for! (Die Another Day)
