Managed Service Account has "Everyone:Change password" ACE by default

active-directory windows-server-2008-r2

Solution 1:

Take a look at the default security ACL on a normal user account. You'll notice that Everyone has Change Password on those as well. But everyone can't just go and change each others passwords.

Remember that Change Password and Reset Password are two different permissions. Changing a password is something the user does for itself and requires providing the current password as part of the process. Resetting a password is something done administratively by another user and doesn't require the current password.

Edit: Nope, I was wrong about the underlying reason. Microsoft Article KB242795 explains better the underlying reason for the permission.

From the article:

The Everyone group has Change Password permissions on all computer and user objects so that unauthenticated or "anonymous" users or computers are able to change their passwords when they expire without having to be authenticated first. If the anonymous user is denied the ability to change passwords, the user would be unable to change the password without logging on.

Related

PHP fastCGI won't stop, trying to start PHP fpm
Prevent Apache from reverse proxying certain HTTP methods
Why is scp much slower than http?
rsyslog does not write remote messsages to log file from specific host
Why can't nginx have more than 75 seconds proxy connect wait?
DIRing folders in PowerShell
How to hide Folders for FTP user jailed to user home
Odd TCP termination sequence
Active Directory on Server 2012 - Proper set up to change passwords via programming
MS Sql Server getting overloading with 'Suspended' queries, mostly reads. Any way to fix this?
custom filter for Fail2Ban
Error when installing AppFabric 1.1 on Server 2012 64bit