# ForceChangePassword
## Configuring
### Prerequisite
{% content-ref url="/pages/JgCz1YvhDq0Vwjhw7IH5" %}
[Password on shares](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-1.md)
{% endcontent-ref %}
### Configuring
1. Login on `DC02` with the username `Administrator` and password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool on `DC02`.
3\. Open the "Users" OU and then right click it, select "New" and "User".
4\. Fill in the name `sa_transfer` and set the password to `2i^t#fFpL`.
5\. Make sure "User must change password at next logon" is NOT selected and select "Password never expires".
6\. Right click on the `sa_transfer` user and select "Properties", open the "Security" tab and click on "Advanced".
7\. Click on "Add" and then "Select a principal" and fill in the name testreset and click "Check Names" .
8\. Click on "OK" and select the privilege "Reset Password".
9\. Click on "Ok", "Apply" and again on "OK".
## Attacking
### How it works
### Tools
* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
### Executing the attack
We know the password of the user `testreset`, this is `Testing123Testing!`. It's possible to either login with the account, or open up a PowerShell session. We will go with a PowerShell session.
1. Start PowerShell and within the taskbar right click on PowerShell and then shift+ right click on Windows PowerShell. If we do this correctly it's possible to select 'Run as different user'.
2\. Fill in the login details of the `testreset` user and click on 'OK'. Now a PowerShell window will open and we can confirm it's running under the testreset user, by typing `whoami`.
3\. Within the script where we found the testreset user, we also noticed the account `sa_transfer_test` account. If we run `net user /domain` command within PowerShell, we see the `sa_transfer` account. It might be that we have the same permissions on this account with our testreset user.
We can confirm this by loading in PowerView and check the ACL's on the sa\_transfer account. We will run the following command to check this out.
{% code overflow="wrap" %}
```
Get-ObjectAcl -SamAccountName sa_transfer -ResolveGUIDs | ? {$_.ObjectAceType -eq "User-force-Change-Password"}
```
{% endcode %}
The above command will filter out everything but reset password permissions. The output will be as follows:
If we convert the SecurityIdentifier, we notice it's the user testreset.
4\. We now know that we have permissions to reset the password of the `sa_transfer` user. To reset the password of `SA_transfer`, we will run the following command:
{% code overflow="wrap" %}
```
Set-DomainUserPassword -Identity sa_transfer -AccountPassword (ConvertTo-SecureString 'WeCanResetThisPassword123!' -AsPlainText -Force) -Verbose
```
{% endcode %}
## Defending
### Recommendations
### Detection
## References
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.