Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to login as user without knowing password

Status
Not open for further replies.
wkdtech

wkdtech

Technical User
Mar 14, 2006
8
US
Hi All,
I've been thinking about implementing a password expiration policy to keep my user's passwords rotating regularly. I'm going to have a problem getting into their machines without their passwords to perform routine tasks when needed. How do folks out there handle this sort of thing?
Thanks in advance,
Jason
 
Sort by date Sort by votes
Hi,

I find that logging in as the administrator will give me access to pretty much everything I need.

Failing that, you are the sys admin, you can change the password to something you know to carry out the work.

Paul

If aint broken, dont try n fix it!!!!!
 
Upvote 0 Downvote
If you are logging in as Administrator, you can access anything you need to. To doubly check, you can run a script that will add a specific account to every machines local administrators group. If you logon as this user (administrator), you will get access to everything on the system, unless the specific user has gone into files and removed the normal permissions, however this could never affect any work you have to do really. Do you have an instance where you are having problems carrying out tasks locally with the Administrator account.

The fact that you have the ability to change the user passwords is a silly, and in most cases unecessary idea to do. As you have no way of retrieving their original password, you can not "reset" it to what it was previously. This means that the users will not know thier own password, unless you remember to tell them what you changed it to. Also, a password policy normally included a minimum history, so they cant use a password they have alreay used in X amount of changes, so they would have to get a NEW password. If you go around changing their passwords randomly this will annoy them even more, than standard password policies.

If you are having problems using the Administrator account, please specify your problems.


Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
You could also use Remote Desktop or VNC to work on their machines. Remote Desktop is exclusive to the user using it, while VNC allows the computer user to interact with you. Just an idea.
 
Upvote 0 Downvote
However, VNC, do not give you elevated permissions, only remote view with cursor/keyboard control. You can not logon as administrator. As far as I am aware, you can not logout and retain control so that you can log back in.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
You can't log in as the user without knowing the password. However, you can log into any computer on the domain with any domain account. To perform unrestricted actions on the client computer, you will need to be a member of the local administrators group on the client PC. By default, the domain administrators group is made members of the local administrators group when the PC is joined to the domain.

Many companies will run a script that also adds another group like "desktop admins" to the local administrators on client PC's and will also change the local administrator password to a common value for all clients (note: server computers get excluded from that policy). Desktop administrators (those who are members of the desktop admins group) will be able to log onto any PC on the domain with their domain account and have local admin rights ("God" on the PC but not the entire domain). Should the PC have network issues, the desktop admins can still log in with the local administrator account (which doesn't require network access to validate) to troubleshoot.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
OK, nick fair point (if made a little strong) on the password change idea! ;-)

If aint broken, dont try n fix it!!!!!
 
Upvote 0 Downvote
Thanks for all of the replies. I guess I should be a little more specific. I can get in as an administrator level account to handle most tasks, howver for some I'd need to be logged in as the user of that machine. For example: setting up printers, configuring applications, troubleshooting applications as the user.
How do others handle these sorts of tasks without having the user's credentials? I guess I'm behind the times here....
Thanks,
Jason
 
Upvote 0 Downvote
WHY DOES EVERYONE CALL ME NICK?????!!!! ARHHHHHHHH

Sorry Paul, just making sure he understood the problems he could have.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
Might not be the best solution, but to overcome these problems I assign local admin rights on the machine to the user of the computer. This way I don't have to log off the user's session and log on as myself to install something or troubleshoot using certain tools. Again might not be the best solution but it works for me and my organization.
 
Upvote 0 Downvote
I never assign local admin rights to the user. Too many problems, and too much access to muck things up.

If you manage things with a "top down" mentality, it's easier to deploy things. Printers, applications, and settings can all be done via GPO and/or scripts.

Failing that, Remote Assistance in XP works nice. If you're going to troubleshoot a problem on a desktop, the user needs to be there, since you need to solve the problem to their satisfaction anyways.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
 
Upvote 0 Downvote
You could also create a SecurityGroup called TroubleshootTempAdmins, make this a member of Domain Admins, then if you get a call of a problem from Joe Bloggs. Before you leave the office, add Joe Blogs into the TroubleShootTempAdmins group, and ask them to Reboot the machine and log back on, whilst you make you're way over there. For this to work, you must check to make sure that generally, the Domain Admins group is in the Local Administrators group (added on Domain Join)

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
I guess we take a slightly different mental approach to the situation. If someone calls with a problem or request and we need to dispatch a tech, if the individual is not around, their domain password gets reset to a common password, we log on to their account, make the necessary changes, and then leave them a note on their machine that their password was reset for maintenance purposes. The majority of the people know what the common maint password is and change it back to what they had, worst case, a phone call is made because they cannot log on, reactivate the account and tell them what the password is.

The important thing is that the issue was resolved.
 
Upvote 0 Downvote
As for just adding a printer you can be at your pc go to run and type in \\pc-name There you will bein the client machine and can add a printer. As for most other trouble shooting I use VNC with the user at the pc and do what I need to.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
266
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
192
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
225
microsGuy16
microsGuy16
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
78
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top