ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What permissions are required to be able to Reset a User Account's password in Active Directory?


Member

Posts: 16
Date: Jul 12, 2011
What permissions are required to be able to Reset a User Account's password in Active Directory?
Permalink  
 


Hello,

We are trying to do an internal audit to find out how any of our delegated admins can reset the passwords of our CFO's domain user account.

I believe that we can do so by figuring out who effectively has the Reset-Password extended right granted on the CFO's user account object, and so we were trying to determine resultant access on his object.

Unfortunately this process is taking us a long time, so before we invested precious time, I thought I would inquire as to whether there are any other security permissions that we should be taking into account, other than the Reset-Password extended right.

Thank you in advance for your input.

Jeremy.



__________________
Driod Rules!
Ray


Member

Posts: 17
Date: Jun 27, 2012
RE: What permissions are required to be able to Reset a User Account's password in Active Directory?
Permalink  
 


Hi Jeremy,

The only permission that controls who can reset a user's password in Active Directory is the Reset Password permission, so you're right that you only need to figure out who effectively has this permission on your CFO's account.

Keep in mind though that anyone who has All Extended Rights permissions, as well as anyone who has Full Control, as well as any Special permissions in which All Extended Rights is checked also imply that the user to whom that permission is granted has the Reset Password permission.

It will also help you to make sure that you keep in mind that there might be nested groups involved, so you should expand them completely. Also, make sure that you only consider those permissions that actually apply to the object. Oh, and also keep in mind that Deny permissions will override Allow permissions, although an Explicit Allow will override an Inherited Deny. 

I'm sure I'm forgetting some (only about 6 more) rules or so that one needs to take into account when determining effective permissions, but I think if you Google "Active Directory Effective Permissions", you should find a list of some of the other factors involved.

But yes, the answer to your question, is that only the Reset Password right controls who can reset another domain user's account's password in Active Directory.

I hope this helps you.

Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 6
Date: Jul 20, 2012
RE: What permissions are required to be able to Reset a User Account's password in Active Directory?
Permalink  
 


Hi Ray,

Thanks for the gen bro. We too are trying to determine how can reset whose passwords in our environment, and are hitting a bit of a road bump, given the crazy complex world of Active Directory security permissions.

Do you know of any easy way to find out who can reset whose passwords in Active Directory?

Thanks bro.

George



__________________
Ray


Member

Posts: 17
Date: Feb 5, 2013
What permissions are required to be able to Reset a User Account's password in Active Directory?
Permalink  
 


George,

I do. Checkout - http://www.paramountdefenses.com/goldfinger_mini

Its a nifty little tool that can insantly show you exactly who can reset whose passwords. I should warn you that its very addicting and before you realize it, you'll find yourself finding out who can reset your colleagues passwords and who can reset your boss's password etc.

The basic version is free, and instantly downloadable. Hopefully this might fulfill your need.

Take care.

- Ray



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me