How can I logon to a user account on a domain without destroying user password?

active-directory password-management

Solution 1:

Imho - The best solution would be to use a client management tool that allows you to remotely overtake a running user session for the time of fixing the tech problem (*).

You would call the user first, and ask him/her to make sure to close all open programs/windows that may underly restrictive access limitations by company laws, plus - if private usage of the company computers is allowed - to close all programs/windows that may be related to that. Furthermore, the management tool will inform your user about your takeover by a message like: "Do you want to allow admin-xyz to gain control over your desktop?", and the user needs to Ok that. Another good thing about that kind of software is, that the user can see what you are doing on its machine. Much more transparent than 'fixing things in the dark'.

I also totally agree to nhinkle's comment - do not ask your users for their passwords! One thing is the mentioned social engineering factor, the other one is that you need to protect yourself from heart attacks by knowing to what kind of amazing passwords your users rely to..

  • iDesktop, TightVNC, TeamViewer, Landesk, etc..

Solution 2:

As Domain Administrator you shall be able to log on the machine. Usually the screen says: only XXXX or a Administrator can unlock this session.

You never impersonates the user on windows. But you switch user and then manage the session and eventually kill the user session.

By the way, I don't see anycase where you would need to impersonate a user.

As a reference you can look at mssocial.

Solution 3:

I understand both sides of this political debate. It's "best" to never log in as them but in small shops you often don't have the tools in place to do that. If you don't want to ask the user for their password (I agree you shouldn't ask) then the only option I've seen is to change their PW, then when done set it to expire, tell them the new one, and that when they log back in they will be prompted and can change it back to the old one... unless you've set your AD GPO Password Policy to remember X old passwords. In that case the only option is a new one.

Related

PHP fopen always fails with permission denied
Giving a new life to an old SPARC machine - boot and install related problems
how to kill IIS Express?
How to convert a TAR file into an ISO file
What in a kickstart file sets the desktop GUI as default (runlevel 5)?
tcptrack shows SYN_SENT connections, does that mean the SYN package reached the server?
How can I setup vSphere so that VLAN tags are not stripped at the vSwitch?
Can an AWS CloudFormation create a KeyPair to subsequently use when starting instances?
Linux Kernel Versioning: Debian Sid vs Ubuntu Precise
How to monitor VPN traffic with Wireshark on Windows 7?
Troubleshooting strategy for very poor iSCSI/NFS performance
Possible? OpenVPN server requiring both certificate- AND password-based login (via Tomato router firmware)