Recently we found that when effective permissions are viewed for any user on any other user object, Change Password, is granted.This is the case regardless of the DACLs on the user object and any explicitly appliedpermissions. So, even though User_A, hasabsolutely no explicit permissions on the User_B object. When effective permissions are view for User-A you will see Change Password is checked. So, does this actuallt mean that every user in a domain has permissioms to change the password of every other user?This has some users on campus in a panic, others are esctatic because they beleive they found a MAJOR security flaw in AD.

No, you are misreading it.They have the permission to Change the password, not reset the password.Remember that to change the password, you must know the previous password.Brian

Just adding more to this.What this allows you to do is to be logged in as UserA1) You can go to the Change Password screen2) You can change the user account from UserA (the default logged on user) to say, UserB3) If you can provide the current password for UserB, then you can change the password for UserBBrian

Brian, thanks for the reply. I understand the need to know the current password to change to a new password.My thoughts are that the effective permissions look far more menacing than they are. For example, User_A is just an ordinary worker. When you run Effective Permissions for User_A against an account that is a Domain Admins memeber, it appears User_A can change thaqtusers password. GrantedUser_A would have to have access to the current password,a Change password utilityfor the user, etc.I'm interpeting the effective permission of User_A based on the group memberships, to which group(s) might an ordinary user belong to by default, that would grant such permissions on another higher priviledged user? I'm trying to avoid openning a can of worms in my organization, just because one user thinks they've found a leak in the damn.......Isthe Change Paswword effective permission realy a threat when User_A has no explicit priviledges on the affect user object?Thanks again

Hi, This is default behavior that everyone has the "Change Password" permission on all accounts. Its not a threat. If user_A knows the administrators password to change password, user_A could log on the administrator account directly to do anything. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for clarifying this Mervyn.