Question

Locked

how can a user change password of administrator

By santoshlipi ·
i just installed a win2008 server and configured everything as required n made it live. After 2 hours i came to know that administrator's password has been changed by a user. To verify that i loged on the DC as a user n tried to reset password of the administrator and i successed.

Please let me know where the actual bug is ? Usualy user can not reset password.

Thanks.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

You have to ask that user.

by Mehul Bhai In reply to how can a user change pas ...

And reprimand him. First of all how the user knew the administrator password? This has to be the exclusive domain of the System Administrator and related people like Support Staff and immediate Boss as per your company policy.
You changed the administrator password by login as a user that means the user has administrative previleges for the Domain.
Some thing is gravely wrong in your domain setup. Rectify it, otherwise you will have to run arround very much sorting out problems.

Collapse -

surprise how can the user change password of admin

by santoshlipi In reply to You have to ask that user ...

that user don't have administrator previleges. he is allowed to log on locally to the DC for certain purpose. so for test purpose i newly created a user and allowed him to log on localy. After successful login to the dc i went to das.msc and tried to reset password of administrator n surprised to know that the user can change.

Collapse -

log on locally to the DC!!!???

by Mehul Bhai In reply to surprise how can the user ...

For what purpose you are allowing a USER to log on locally to the DC? I have never tried what you have done as we have never allowed such previleges.

Collapse -

WHY is a USER logging into a DC?

by cmiller5400 In reply to surprise how can the user ...

That should NEVER happen...

Collapse -

Same

by Mehul Bhai In reply to WHY is a USER logging int ...

I mean to say the same thing as "cmiller5400".

Collapse -

Check privileges

by mr_t_wright In reply to how can a user change pas ...

Make sure you don't have domain users in the "admin group"...

Collapse -

I'm with you here

by tintoman In reply to Check privileges

I reckon some squid brain has dumped all the users in the Administrators group

Collapse -

denied login?

by philldmc In reply to how can a user change pas ...

I might be mistaken, but I thought by default the DC policy was to deny non administrator accounts to log onto the DC.

If I'm not mistaken this policy is automatic so it has to be turn off for a standard user to log in. Even if they could log in they should not have ability to change passwords to the admi account. Unless that user has admin rights.

It sounds like there are other security issues going on. My first step would be to deny log in to non admin, very other accounts don't have admin privledges, and then change admin pass. Just remember what you changed it to.

Collapse -

Just thinking RDP

by philldmc In reply to denied login?

By chance did you add Terminal services to the DC? If you did I'm not sure why..but you might want to check your policy on the terminal services..

Collapse -

Just fair warning...

by cmiller5400 In reply to denied login?

Be VERY careful assigning deny permissions. Remember they take precedence over all other permissions. So, deny an admin group or the administrator or the group "Everyone" the permission to login and you have a whole "charlie foxtrot" to try and fix.

Back to Networks Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums