Granting Change Password Permissions to the Everyone Group

When you grant the Change Password right to the Everyone group, all users and computer accounts, including domain controllers and anonymous users, are able to change passwords for computer and user accounts. To maintain security, users can only change the password if they know the current password.

To view the permissions on a user object, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Click View, and then click Advanced Features.
3. Click the Users Organizational Unit (OU), double-click a user, and then click the Security tab.
4. Click the Everyone group to see the permissions assigned to the group.
   
   NOTE: Change Password is the only check box selected by default.
5. Click Cancel when you have the information you need.

The Everyone group has Change Password permissions on all computer and user objects so that unauthenticated or "anonymous" users or computers are able to change their passwords when they expire without having to be authenticated first. If the anonymous user is denied the ability to change passwords, the user would be unable to change the password without logging on. The Access Control List (ACL) editor can be used to revoke this permission, but use this editor with caution.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: