HiHow can we block common domain users to change password by command lineAs like “net user <username> newpass /domain”
Block to change password by command line
- 486 Views
- Last Post 29 July 2019
Is it OK if users change passwords via the GUI, but not the command line?
It is OK if users change passwords via the GUI only. Not by command line. Company requirement.
Well stating the obvious. Non-sensible requirements may provoke nonsense responses. You have provided no technical or logical justification.Passwords should be validated on the domain controller that actions the change, so it doesn’t make sense to restrict the methods on the workstation.Any logging should also be done on the Domain Controllers so again blocking on the workstation does not make any sense. However, assuming you have a good reason the well known options are:- Block command line access altogether via user policy but here always seem to be loopholes.If you leave script processing enabled simply create a batch file. If you disable script file processing, you probably break something.They can also still run the “.net” command directly e.g. by issuing a shell command from a VB script or from task manager.It also appears to be possible to issue the NET command from powershell…. You can block the “NET” command altogether by setting the permissions of the file but that would possibly kill scripts that use other “NET” commands e.g. to map drives and possible break any update that replaced it.As the “change password” is exposed as a method via .net then so long as the user has access to a “.net” programming language they can change passwords….. There is a discussion on these options here:- https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5a00341-8859-4a8a-bcea-9433365845d9/blocking-netexe?forum=winserverGP .. or of course simply not tell them their password in the first place, so they can never logon… Dave
More FYI than anything…
We’ve used MDOP (Microsoft Desktop Optimization Pack) LockSmith to change passwords.
We’ve used the Utilman.EXE
à CMD.EXE file swap to recover domain admin
passwords when dealing with an acrimonious IT Support firing where they withheld the credentials or lost credentials.
We’ve used a boot from .ISO and Net Use to change credentials.
The best way to control the user’s password experience is via Group Policy.
One can set …
a minimum age so that users cannot change their password after doing so for X number of days/weeks.
a maximum age so that they get changed every so often.
set character complexity limits and character counts.
a flag that warns users when they log on that their password will expire in X days
a PowerShell script that e-mails users when their password will expire in X days or less
And so on.
Philip Elder MCTS
Microsoft High Availability MVP
Phone: (780) 458-2028
Skype: MPECS Inc.
Cloud: Canadian Cloud Worx
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru