Student Password Reset in XP and Windows 7

[jamiesev]

Hi All,

Whilst testing our Windows 7 group policies I have found a rather large security flaw. When a user changes their password by ctrl+alt+del and selecting change a password, they can change the username and enter a new password for that user (obviously they need to know the users original password). Students can also change domain admin accounts :-/
I tested this on Windows XP and I get exactly the same result. I have checked over the net but nothing obvious is appearing. Can anyone help with this issue?

[MYK-IT]

The key point here, as quoted by yourself, is..obviously they need to know the User's original password...

It's no different (and effectively an alternative method) from logging on as that other person('s account) pressing ctrl+alt+del and changing password.
It's not offering any additional elevated privileges.

[ChrisMiles]

If they know a password to a domain admin account, I think changing the password is the least disastrous thing they could do... they could also delete everything out of AD, remove all your files, use adsi edit to break you whole domain! Best not to tell them

[jamiesev]

I'm sorry, I think I never made my question clear enough. I am well aware of what could happen etc. What I was hoping to find out is if there is away to either stop students from changing passwords via permissions, security settings / group policy, or if there is a way to gray out the username field so they can only change their own password.

[plexer]

If they know other users password you have a bigger problem on their hands otherwise the issue you've described is not really a problem.

Ben

[Steve21]

I'm sorry, I think I never made my question clear enough. I am well aware of what could happen etc. What I was hoping to find out is if there is away to either stop students from changing passwords via permissions, security settings / group policy, or if there is a way to gray out the username field so they can only change their own password.

There's one in AD "User cannot change password", but greying out the username box seems pretty silly, as they could still just logon with someone elses account and change the password as such, But yes AD option seems to be what you're asking for. Under account tab. (Just remember not to make them expire, if they cant change )

Steve