How to save/restore a Windows AD password?
Solution 1:
For a local computer, you can simply do it by copying the c:\windows\system32\config\sam
file to a temporary one. Once you finished, just copy back.
But you can't do that while Windows is running. So you have to use a Linux CD or to boot from a Windows cd and open a command line.
For the first part, you can do it online with runas system account, or with shadow copy. So this is an easy step.
The last part must be done offline. If anyone find how to do it online, I'll be happy to know how.
Note you can have a problem if you check for password reuse.
The problem is: this don't work with active directory because you don't want to reboot your server in the middle of the day. And if you have several domain controlers, this don't work at all.
Some softwares can do it on the fly. I used one I forgot the name (it has "migration" in its name) and it is overkill for this use. I don't know if it exists anymore and if it works for 7 or 2008. Maybe a lighter software exists, but I don't know one.
Solution 2:
This is a bad idea for a few reasons:
It circumvents the audit trail
When you change a user's password to impersonate them and then change it back. There is a trail that you did it. That gives you deniability and protects you if anything happens with that user's account. It would be really bad policy to allow this trail to be circumvented.
Imagine that an employee is fired for having child pornography. If you have a policy of swapping this hash in and out at will, there is little-to-no way to prove that the employee was the one that did it rather than you. If you were to reset the password, there is a clear log entry about it which will isolate the times that you were logged in as that user.
It's extremely difficult to do
While theoretically possible to do, you have to modify a whole bunch of stuff that would leave your Active Directory in an unsupported state. This is obviously not a good thing to do. Or you can store the passwords in Reversible Encryption, but doing so is a really bad idea.
It reduces communication between you and the users
Part of being good at supporting users is communicating with them. By having to set, and then reset their password when impersonation is absolutely required, you are forced to get in touch with that user and explain what happened and why. It gives more of a sense of trust than just logging in one morning and seeing that things are different.