Announcement

Collapse
No announcement yet.

Users can change other users' passwords

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users can change other users' passwords

    I enabled in our Exchange 2003 server the tool that helps any user to change his/her password in OWA. However, I noticed that I can change other users' passwords if I know their older passwords. Is it possible to block this? I want that an user can change just his/her own password. Any idea?

  • #2
    Re: Users can change other users' passwords

    How would you block it?
    The tool doesn't know who you are. What is different to you entering the old password and the legitimate person entering the old password? None at all.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Users can change other users' passwords

      I was thinking maybe there's a procedure to disable the domain and user fields. If you can send this information as a parameter to the screen, you don't need these fields to be available to modify. Has anybody done this before?

      Thanks for your help.

      Comment


      • #4
        Re: Users can change other users' passwords

        So where is it going to get that information from?
        If you are using OWA on the same network and from a machine that is a member of the domain, which allows pass through authentication, then why not change the password from the workstation using CTRL-ALT-DEL.

        If the information is coming from another session, what is to stop the user who knows another persons password from logging in to the session as them and then changing the password.

        As I wrote above, the computer doesn't know who is using the credentials. If user 1 knows user 2's password and enters those credentials correctly, then it will allow access.

        If you have users who know other people's passwords then you have a more serious problem that you need to deal with - there is no technical solution to that problem.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Users can change other users' passwords

          If you know another person's password you don't need OWA to change their passwords. You simple CTRL-ALT-DEL and click Change Password, then type in their username, their old password, the new passwords and bingo.
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment

          Working...
          X