Why everyone has permissions to change passwords in Active Directory
The everyone group is set on all new user objects by default with the ability to change user account passwords (given the password is known). This isn’t set through inheritance, but rather from default objectclass=user permissions set through adsiedit/ldp, etc.
According to the Microsoft Knowledge Base article at http://support.microsoft.com/kb/242795, the following is true about Change Password permissions in Active Directory. This means you typically do not need to delegate Change Password permissions in Active Directory to an application’s service account.
“The Everyone group has Change Password permissions on all computer and user objects so that unauthenticated or “anonymous” users or computers are able to change their passwords when they expire without having to be authenticated first. If the anonymous user is denied the ability to change passwords, the user would be unable to change the password without logging on. The Access Control List (ACL) editor can be used to revoke this permission, but use this editor with caution.”
Related Articles
Permissions an Account Needs to Reset and Change AD passwords and to Unlock AD Accounts
Web Active Directory recommends that you create an account in your domain dedicated to resetting passwords in PeoplePassword. PeoplePassword uses this account to bind to your Active Directory to perform password reset operations instead of passing ...
Check effective permissions in Active Directory
Description You can check the effective permissions in Active Directory to determine the privileges that one account has on another account. Notes Web Active Directory products typically use a service account to connect to Active Directory and ...
Why do Active Directory Permissions Revert After I Set Them?
Active Directory has a feature that keeps privileged users like Domain Admins from locking themselves out of Active Directory by incorrectly setting permissions. The AdminSDHolder object and its Active Directory worker code is used by Domain ...
Installing more than one instance of a Web Active Directory application on the same server
Description You can install multiple instances of the same Web Active Directory application–including PeopleSearch, PeopleUpdate or PeoplePassword–on the same web server. This is handy if you want to target different applications to different ...
Active Directory Firewall Ports
You might want to set up a Web Active Directory solution in your DMZ and have it work with an Active Directory server behind the firewall on your internal network. You need to open up the appropriate ports to allow this communication from your DMZ to ...