Microsoft KB Archive/279809

= User May Be Able to Change Any User Password on Windows 2000 Server Under Certain Conditions =

Article ID: 279809

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q279809



SYMPTOMS
Active Directory on Windows 2000 Server may allow any user the ability to change another user password under certain conditions. While a &quot;regular&quot; user is using the Active Directory snap-in, the user can choose another user and reset that user's password.

Use this hotfix to replace these individual hotfixes:

272473 AvoidPdcOnWan Registry Value Does Not Work

267556 Auditing Does Not Report Security Event for Resetting Password

268277 Problems Changing Nested Global Group Scope to Universal Group

263821 Account Lockout Because BadPasswordCount Not Reset to 0

274402 NTDS Cannot Be Initialized and Returns Error 510

277741 Internet Explorer Logon fails due to an insufficient buffer for Kerberos

263693 Group Policy May Not Be Applied to Users Belonging to Many Groups

263603 Incorrect Behavior in Winlogon for First-Time User

For best results, use this hotfix instead of the original hotfixes for fixes on servers (domain controllers).



CAUSE
This behavior occurs because dependent files are missing.



RESOLUTION
A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network, and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends that you apply this fix. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

The English version of this fix should have the following file attributes or later:   Date      Time            Size     File name --- 12/08/00  04:25PM         133 KB    Dnsapi.dll 12/08/00 04:25PM          89 KB    Dnsrslvr.dll 12/08/00 04:25PM         137 KB    Kdcsvc.dll 11/15/00 05:37PM         203 KB    Kerberos.dll 11/06/00 07:10PM          68 KB    Ksecdd.sys 12/08/00 04:25PM         483 KB    Lsasrv.dll 11/20/00 05:14PM          33 KB    Lsass.exe 12/08/00 04:25PM         886 KB    Ntdsa.dll 12/08/00 04:25PM         358 KB    Netlogon.dll 12/08/00 04:25PM         304 KB    Netapi32.dll 12/08/00 04:25PM         370 KB    Samsrv.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
NOTE: After you install this hotfix, the original files will be upgraded to a high encryption level (128-bit) to offer better online and local security, and bring your computer inline with the new worldwide standard of 128-bit encryption.

Keywords: kbbug kbfix kbqfe kbwin2000presp2fix KB279809

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.