[unisog] End User Passwords and Technical Support Issues

Baran, Ben bbaran at uchicago.edu
Tue Jan 15 18:37:44 GMT 2002

This is a sensitive issue that I'm sure comes up a lot in every
organization. While it is important to make sure that passwords remain
secure for obvious reasons, it is also sometimes necessary for
administrators in a NT/Windows 2000 environment to log on to a workstation
as an individual user. While it is true that administrators and support
staff can easily be given rights to administer a particular machine by any
of the methods mentioned, it is nearly impossible to configure desktop and
application settings for a user without actually logging in as that user
(Yes, I am aware that Windows 2000 will allow this to some extent with he
Run As... command, and you can do some manipulation of user profiles
externally, but in my experience, it just doesn't work that well). Someone
suggested having the user log in as themselves, and then doing what needs to
be done, but it is sometimes not possible to have the user there to enter
their password over and over again in the case of upgrades, etc.

My solution is simple, but may not work in all situations. Since I am a
domain administrator, I just change the user's domain password to a random
string, and use that to login as the user at the workstation. I then go
about my configuration, and log the user off. I then issue the user a new
random password through whatever secure method is in place (I usually just
hand it to them in person) and set the user account to "User must change
password at next login". The user logs, in, changes her password, and
security is restored. All in all, not that much work, and I only have to
know the user's password for the time I need to use it (and that password is
not likely to be used again since I like to issue long, annoying to type
random passwords).

This approach, of course, works well if all of your support people are able
to manage passwords, but is a little inefficient if they need to get someone
else to do the password changing for them. Also, you need to take into
account the fact that the support person may have elevated access to files,
etc. while they are logged in as another user. It also has the additional
benefit of actually getting user's to change their passwords once in a while
if you don't have a password policy set.



Ben Baran (bbaran at uchicago.edu)
Department of Medicine IS
University of Chicago

More information about the unisog mailing list