What is the difference between the Change Password and Reset Password extended right? - Active Directory Security/Access/Audit Forums

ActiveDirSec.Org

The world's most trusted forum on Active Directory Security

Post Info

TOPIC: What is the difference between the Change Password and Reset Password extended right?

Geoffrey

Member

Status: Offline

Posts: 21

Date: Jun 1, 2011

What is the difference between the Change Password and Reset Password extended right?

Hello again. I would also like to know what is the difference between the Change Password and the Reset Password extended rights in Active Directory? My understanding is that the former is needed to change one's own password, and the other is needed to reset someone else's password. Is this correct? The question was prompted on our findings that Everyone was given the Change Password right in our Active Directory and that quite a few admin groups were given the Reset Password extended right. We are in the middle of an Active Directory clean-up and I thought it might be good to get some clarity on exactly how these rights work in Active Directory. __________________ Wherever you go and whatever you do, may the luck of the Irish be there with you.

Nicolas

Member

Status: Offline

Posts: 12

Date: Jun 15, 2011

What is the difference between the Change Password and Reset Password extended right?

Hi Geoffrey, Your understanding is correct. The Change Password extended right is what enables users to change their own password, and the Reset Password extended right is what enables Help Desk personnel to be able to reset a user's password. In general, it helps to understand the difference the requirements for changing a password and resetting a password, which is as follows - I. A Change Password operation is designed to be performed by the end user him/herself and it requires knowledge of the current password. II. In contrast, the Reset Password operation is designed for the IT support function and it does NOT require knowledge of the current password. There are some important observations that can be made here - 1. In the absence of additional authentication factors, the password is the only thing that gates the the use of a user account, so if you could either change it, or reset it, you could in effect take over the user account. 2. In general, for hackers, it is much easier to just reset a user's password than brute-force it or try to guess it, because it is so much easier to try and find out who can reset an account's password since all domain user account holders already have almost unlimited read-access in Active Directory. 3. That is why the Reset Password is an administrative task, and the ability to reset passwords should not be distributed/delegated indiscriminately. 4. It is also very important to know at all time who can reset the password of every user account in the Active Directory. Unfortunately, trying to find out who can reset whose passwords is not very easy in Active Directory. 5. It is equally important to note that it is not sufficient to merely look for security permissions granting users/groups the Reset Password extended right because permissions in Active Directory do not work in isolation. (Basically you need to determine the resultant-set-of-permissions to get the true picture.) I think you're on the right track and I would only suggest that instead of trying to find which groups may have the Reset Password extended right granted, you instead determine resultant-access on your Active Directory domain user accounts to find out who can actually reset domain user account passwords. Hope that helps. Nic++ -- Edited by Nicolas on Wednesday 15th of June 2011 08:17:12 PM __________________ Bond: There’s a name to die for! (Die Another Day)

GeorgeR

Member

Status: Offline

Posts: 5

Date: Jul 2, 2012

RE: What is the difference between the Change Password and Reset Password extended right?

Nicolas, That's a very good explanation of the difference between the Change Password and Reset Password extended rights. In my experience, I have foudn that many IT managers still struggle with understanding this difference. I see this all the time while helping some of our customers. In particular, they are often required to show who all can reset the password of the CFO's account for example, and are unable to do so, because they don't know how to do this. I have seen so many companies just submit a listing of the entire ACL as documentation. Now that of course is not accurate at all, but most times the auditors also don't know better, so accept it as sufficient! Thanks for clarifying the difference so clearly. George __________________

Geoffrey

Member

Status: Offline

Posts: 21

Date: Jul 2, 2012

RE: What is the difference between the Change Password and Reset Password extended right?

Hi Nicolas, Thank your for answering my question in such great detail. I clearly understand the difference now. Thanks also for sharing your observations, which are very insightful. In regards to trying to determine resultant-access on our Active Directory domain user accounts to find out who can actually reset domain user account passwords, do you happen to know of any easy way to do this? If so, could you please share, as that would be most helpful? Thanks very much. Geoffrey __________________ Wherever you go and whatever you do, may the luck of the Irish be there with you.

Nicolas

Member

Status: Offline

Posts: 12

Date: Jul 22, 2012

What is the difference between the Change Password and Reset Password extended right?

Hi Geoffrey, As I pointed out earlier, trying to find out who can reset whose passwords in Active Directory is quite difficult, which is why there are hardly any tools that can help in this regard. There is only one tool that I know of that can do this, but before I mention it, I just wanted to share a note of caution with you. Caution: There are many tools that claim to show you "Who can do what" but they are only showing you "Who has what permissions" so you still have to do the whole resultant-access calculation yourself, so just be aware of any misleading vendors out there who claim to show you "Who can do what." So, the only tool I know of that can show you who can reset whose passwords is Gold Finger Mini - www.paramountdefenses.com/goldfinger_mini Here is a snapshot I copied from the vendor's site - Its incredibly powerful and very easy to use - you just use the inbuilt search utility to find a user account, then click a button, and it'll show you who can actually reset the selected user account's password, in seconds. Nic++ __________________ Bond: There’s a name to die for! (Die Another Day)

Quick Reply
Please log in to post quick replies.

Members Login

Active Directory Security is mission-critical to business today because Active Directory is the foundation of IT security in Microsoft Windows Server based IT infrastructures. Active Directory Security involves numerous aspects such as Active Directory Audits, Active Directory Security Audits, Active Access Audits and Active Directory Auditing. Active Directory Security is essentially about Access Control in Active Directory, and Active Directory Management / Audit / Reporting / Auditing Tools can help you keep Active Directory secure. Active Directory Risks are numerous, but can be identified and mitigated via Active Directory Risk Assessments, and via frequent Active Directory Security and Access Audits. Active Directory Security also involves Domain Controller Security, Security of Trust Relationships and Active Directory Administrative Accounts, and Active Directory Backups.Administrative Delegation is also a very important aspect of Active Directory Security and Best practices for delegating administration in Active Directory should be followed to ensure the security of your Active Directory at all times and to keep it safe from harm.