Windows Thread, Student Password Reset in XP and Windows 7 in Technical; Hi All,
Whilst testing our Windows 7 group policies I have found a rather large security flaw. When a user ...
6th March 2012, 10:06 AM #1
Student Password Reset in XP and Windows 7
Whilst testing our Windows 7 group policies I have found a rather large security flaw. When a user changes their password by ctrl+alt+del and selecting change a password, they can change the username and enter a new password for that user (obviously they need to know the users original password). Students can also change domain admin accounts :-/
I tested this on Windows XP and I get exactly the same result. I have checked over the net but nothing obvious is appearing. Can anyone help with this issue?
6th March 2012, 10:15 AM #2
The key point here, as quoted by yourself, is..obviously they need to know the User's original password...
It's no different (and effectively an alternative method) from logging on as that other person('s account) pressing ctrl+alt+del and changing password.
It's not offering any additional elevated privileges.
Last edited by MYK-IT; 6th March 2012 at 10:17 AM.
6th March 2012, 10:33 AM #3
If they know a password to a domain admin account, I think changing the password is the least disastrous thing they could do... they could also delete everything out of AD, remove all your files, use adsi edit to break you whole domain! Best not to tell them
6th March 2012, 10:42 AM #4
I'm sorry, I think I never made my question clear enough. I am well aware of what could happen etc. What I was hoping to find out is if there is away to either stop students from changing passwords via permissions, security settings / group policy, or if there is a way to gray out the username field so they can only change their own password.
6th March 2012, 10:44 AM #5
If they know other users password you have a bigger problem on their hands otherwise the issue you've described is not really a problem.
6th March 2012, 10:45 AM #6
There's one in AD "User cannot change password", but greying out the username box seems pretty silly, as they could still just logon with someone elses account and change the password as such, But yes AD option seems to be what you're asking for. Under account tab. (Just remember not to make them expire, if they cant change )
Originally Posted by jamiesev
By wesleyw in forum Windows Server 2008
Last Post: 10th September 2010, 11:50 AM
By ful56_uk in forum O/S Deployment
Last Post: 16th June 2010, 10:06 AM
By albertwt in forum Licensing Questions
Last Post: 21st April 2010, 01:53 PM
By albertwt in forum Windows
Last Post: 29th March 2010, 01:01 PM
By Rozzer in forum Windows
Last Post: 19th August 2005, 07:49 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)