Active Directory

Hi guys, iv recently been playing with active directory, now i seem to have foun a way to find users who have a specified password...

What you do is attemp to change the users password, which if the original password was incorrect will return an error, however if the oroginal password was correctly guessed there will bo no error and you know you were right.

OK, so on the face of it this is no more than guessing a users password at the login prompt...

This method has no password retry count, and could be used to a big affect by enumerating uses in a domain and checking for common passwords such as 'password' or the same password as the username...

What i want to know is if there is a way to counter this?

---
Thanks for reading
Kieran Foot

The best way to counter this would be to

use good passwords...or pass phrases

Like

"I bet you cant guess my password : )"

Or are you looking for a way to lock this out...cause AFAIK by guessing wrong 5 times or so..by default will lock out the account...unless you are admin of course...and you can just reset anyones password...including admin ;)

MLF

The above methos has no retry cound and thus allows for unlimited retry's, will there be a log file, or can i set a log to be used for such operations...

Sorry...then

I am not understanding how you are resetting the password in active directory.....

Is this done on the server...or at the workstation??

MLF

edit>..do you have auditing set up ...cause I am pretty sure it would show up in the Eventlogs>Security Log as Failed

its done at the workstation, i have an example if you know VB, maybee you can look at it

What OS is the server??

Cause my 2003 servers lock out users all the time when they need to reset thier passwords....


MLF

No I dont know VB...and I would not open a script for a stranger ;)

they are 2003 servers, but as it is a college, users are allowed to change there own passwords...

no i would post the code, i wouldnt expect anybody to run a script/program send by an unknown ;)

So...your logged on at a workstation (as admin?) and can change users paswords in your AD?

So you are telling me that it doesnt show up in the Security Log?? On the server??

MLF

you cannot reset anybody password unless you are an administrator, im not talking about re-setting anybody password.

the above method uses the change password method, rather like changing your own password, you need the original to assert the change.