Block to change password by command line

  • 379 Views
  • Last Post 29 July 2019
manasrrp6 posted this 28 July 2019

HiHow can we block common  domain users to change password by command lineAs like  “net user <username> newpass /domain” Regardscid:image002.gif@01D14ECD.C6D1DE80 

Order By: Standard | Newest | Votes
kurtbuff posted this 28 July 2019

Questions:
Is it OK if users change passwords via the GUI, but not the command line?


show

manasrrp6 posted this 29 July 2019

It is OK if users change passwords via the GUI only. Not by command line. Company requirement. Regardscid:image002.gif@01D14ECD.C6D1DE80 

show

g4ugm posted this 29 July 2019

Well stating the obvious. Non-sensible requirements may provoke nonsense responses. You have provided no technical or logical justification.Passwords should be validated on the domain controller that actions the change, so it doesn’t make sense to restrict the methods on the workstation.Any logging should also be done on the Domain Controllers so again blocking on the workstation does not make any sense. However, assuming you have a good reason the well known options are:- Block command line access altogether via user policy but here always seem to be loopholes.If you leave script processing enabled simply create a batch file. If you disable script file processing, you probably break something.They can also still run the “.net” command directly e.g. by issuing a shell command from a VB script or from task manager.It also appears to be possible to issue the NET command from powershell…. You can block the “NET” command altogether by setting the permissions of the file but that would possibly kill scripts that use other “NET” commands e.g. to map drives and possible break any update that replaced it.As the “change password” is exposed as a method via .net then so long as the user has access to a “.net” programming language they can change passwords….. There is a discussion on these options here:- https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5a00341-8859-4a8a-bcea-9433365845d9/blocking-netexe?forum=winserverGP .. or of course simply not tell them their password in the first place, so they can never logon… Dave   

show

PhilipElder posted this 29 July 2019

More FYI than anything…

 

We’ve used MDOP (Microsoft Desktop Optimization Pack) LockSmith to change passwords.

 

We’ve used the Utilman.EXE

à CMD.EXE file swap to recover domain admin

passwords when dealing with an acrimonious IT Support firing where they withheld the credentials or lost credentials.

 

We’ve used a boot from .ISO and Net Use to change credentials.

 

The best way to control the user’s password experience is via Group Policy.

 

One can set …

·        

a minimum age so that users cannot change their password after doing so for X number of days/weeks.

·        

a maximum age so that they get changed every so often.

·        

set character complexity limits and character counts.

·        

a flag that warns users when they log on that their password will expire in X days

·        

a PowerShell script that e-mails users when their password will expire in X days or less

 

And so on.

J



 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

Cloud: Canadian Cloud Worx

 

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.




 

show

Close