Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / ForceChangePassword

Matrix

ForceChangePassword is disruptive by design. It changes operational state, often triggers user impact, and produces clearer audit trails than Shadow Credentials.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
Normal userForceChangePassword / reset password extended rightSet a known password and authenticate as the userbloodyAD set password, net rpc passwordPowerView Set-DomainUserPassword, AD module Set-ADAccountPasswordReset password again and review account activity
Service accountForceChangePasswordSet a known password, then access services or request Kerberos ticketsbloodyAD, GetUserSPNs.py, nxcPowerView, AD module, service clientsRotate service credentials and repair dependent services
Helpdesk-style accountForceChangePasswordReset password, use delegated rights for the next hopbloodyAD, nxc ldapPowerView, AD moduleRemove delegated path and review password reset events
Privileged userForceChangePasswordReset password and authenticate with privileged accessbloodyAD, Kerberos toolingPowerView, AD module, native logonTreat as privileged compromise and invalidate sessions
Protected accountReset right present but blocked by policy or AdminSDHolder inheritanceAbuse may fail or revert depending on protection statebloodyAD for attempt and validationPowerView Get-DomainObjectAcl, AD moduleFix delegation model and check AdminSDHolder-controlled paths