How can I logon to a user account on a domain without destroying user password?
Solution 1:
Imho - The best solution would be to use a client management tool that allows you to remotely overtake a running user session for the time of fixing the tech problem (*).
You would call the user first, and ask him/her to make sure to close all open programs/windows that may underly restrictive access limitations by company laws, plus - if private usage of the company computers is allowed - to close all programs/windows that may be related to that. Furthermore, the management tool will inform your user about your takeover by a message like: "Do you want to allow admin-xyz to gain control over your desktop?", and the user needs to Ok that. Another good thing about that kind of software is, that the user can see what you are doing on its machine. Much more transparent than 'fixing things in the dark'.
I also totally agree to nhinkle's comment - do not ask your users for their passwords! One thing is the mentioned social engineering factor, the other one is that you need to protect yourself from heart attacks by knowing to what kind of amazing passwords your users rely to..
- iDesktop, TightVNC, TeamViewer, Landesk, etc..
Solution 2:
As Domain Administrator you shall be able to log on the machine. Usually the screen says: only XXXX or a Administrator can unlock this session.
You never impersonates the user on windows. But you switch user and then manage the session and eventually kill the user session.
By the way, I don't see anycase where you would need to impersonate a user.
As a reference you can look at mssocial.
Solution 3:
I understand both sides of this political debate. It's "best" to never log in as them but in small shops you often don't have the tools in place to do that. If you don't want to ask the user for their password (I agree you shouldn't ask) then the only option I've seen is to change their PW, then when done set it to expire, tell them the new one, and that when they log back in they will be prompted and can change it back to the old one... unless you've set your AD GPO Password Policy to remember X old passwords. In that case the only option is a new one.