ForceChangePassword is disruptive by design. It changes operational state, often triggers user impact, and produces clearer audit trails than Shadow Credentials.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| Normal user | ForceChangePassword / reset password extended right | Set a known password and authenticate as the user | bloodyAD set password, net rpc password | PowerView Set-DomainUserPassword, AD module Set-ADAccountPassword | Reset password again and review account activity |
| Service account | ForceChangePassword | Set a known password, then access services or request Kerberos tickets | bloodyAD, GetUserSPNs.py, nxc | PowerView, AD module, service clients | Rotate service credentials and repair dependent services |
| Helpdesk-style account | ForceChangePassword | Reset password, use delegated rights for the next hop | bloodyAD, nxc ldap | PowerView, AD module | Remove delegated path and review password reset events |
| Privileged user | ForceChangePassword | Reset password and authenticate with privileged access | bloodyAD, Kerberos tooling | PowerView, AD module, native logon | Treat as privileged compromise and invalidate sessions |
| Protected account | Reset right present but blocked by policy or AdminSDHolder inheritance | Abuse may fail or revert depending on protection state | bloodyAD for attempt and validation | PowerView Get-DomainObjectAcl, AD module | Fix delegation model and check AdminSDHolder-controlled paths |