Hi guys, iv recently been playing with active directory, now i seem to have foun a way to find users who have a specified password...

What you do is attemp to change the users password, which if the original password was incorrect will return an error, however if the oroginal password was correctly guessed there will bo no error and you know you were right.

OK, so on the face of it this is no more than guessing a users password at the login prompt...

This method has no password retry count, and could be used to a big affect by enumerating uses in a domain and checking for common passwords such as 'password' or the same password as the username...

What i want to know is if there is a way to counter this?

---
Thanks for reading
Kieran Foot