User May Be Able to Change Any User Password on Windows 2000 Server Under Certain Conditions (279809)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q279809

SYMPTOMS

Active Directory on Windows 2000 Server may allow any user the ability to change another user password under certain conditions. While a "regular" user is using the Active Directory snap-in, the user can choose another user and reset that user's password.

Use this hotfix to replace these individual hotfixes:

272473 AvoidPdcOnWan Registry Value Does Not Work

267556 Auditing Does Not Report Security Event for Resetting Password

268277 Problems Changing Nested Global Group Scope to Universal Group

263821 Account Lockout Because BadPasswordCount Not Reset to 0

274402 NTDS Cannot Be Initialized and Returns Error 510

277741 Internet Explorer Logon fails due to an insufficient buffer for Kerberos

263693 Group Policy May Not Be Applied to Users Belonging to Many Groups

263603 Incorrect Behavior in Winlogon for First-Time User

For best results, use this hotfix instead of the original hotfixes for fixes on servers (domain controllers).

CAUSE

This behavior occurs because dependent files are missing.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network, and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends that you apply this fix. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

The English version of this fix should have the following file attributes or later: 
   Date      Time            Size     File name   
   -----------------------------------------------
  12/08/00  04:25PM         133 KB    Dnsapi.dll  
  12/08/00  04:25PM          89 KB    Dnsrslvr.dll
  12/08/00  04:25PM         137 KB    Kdcsvc.dll  
  11/15/00  05:37PM         203 KB    Kerberos.dll
  11/06/00  07:10PM          68 KB    Ksecdd.sys  
  12/08/00  04:25PM         483 KB    Lsasrv.dll  
  11/20/00  05:14PM          33 KB    Lsass.exe   
  12/08/00  04:25PM         886 KB    Ntdsa.dll   
  12/08/00  04:25PM         358 KB    Netlogon.dll
  12/08/00  04:25PM         304 KB    Netapi32.dll
  12/08/00  04:25PM         370 KB    Samsrv.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

NOTE: After you install this hotfix, the original files will be upgraded to a high encryption level (128-bit) to offer better online and local security, and bring your computer inline with the new worldwide standard of 128-bit encryption.
Modification Type:MajorLast Reviewed:11/14/2003
Keywords:kbbug kbfix kbQFE kbWin2000PreSP2Fix KB279809
©2003 Microsoft Corporation. All rights reserved.