?
Solved

If using a domain admin account, how do you login as another domain user without a password?

Posted on 2006-06-04
18
Medium Priority
?
625 Views
Last Modified: 2009-07-29
On Unix, you can obtain a user's permissions for testing without a password if you are
logged in as the administrative account "root" and use the command "su".

On windows, microsoft provides the RUNAS and SU commands, but even if
you are a domain administrator, you are required to provide the user's password
to use these utilities.

Is there a windows utility that allows a domain administrator to become another
user (run explorer.exe or another application), without entering a password?

We have multiple windows terminal servers where we wish to logon as users
to test their environment without having to know their passwords.

Thanks,
-Matt
0
Comment
Question by:matt402
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 2000 total points
ID: 16828730
No, I would consider it a security threat.  If such a tool existed, you could potentially do things as a user without that users permission.  I know unix can do it, but I don't necessarily think that it SHOULD be able to do it.
0
 

Author Comment

by:matt402
ID: 16828760
As domain administrators, we can already do things as a user without a users permission -- using "reset password". :)
We just don't want to inconvenience the users.   People are security threats, not computers or operating
systems.
thanks,
-matt
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 16828785
Your missing the point.  Yes, you can reset the password - but then the USER KNOWS someone did something.  If you could do it without their password and/or lookup their password, then they wouldn't know.  Imagine an admin who can't stand an annoying user and decides he's going to get that person fired.  So he runs outlook as the user and sends a harassing e-mail to another employee.  The user can deny it all they want, but the circumstancial evidence says they did it and since your employer is not a court of law, that can be sufficient get the person fired.  But if the password was changed, he has to call IT and report it to get it reset to something s/he knows.

In Windows users typically run as administrators - does that mean because it's normal for Windows, all users on a unix system should run as root?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 16828804
Ultimately, I feel your question has been answered - No, you can't do it without knowing the password - either by resetting it or asking the user for it.  And in a properly secured network, the administrators should NEVER know the user passwords.  You need to test the accounts, test them, before giving them to the user or by reseting the password and notifying the user of your actions.
0
 

Author Comment

by:matt402
ID: 16829031
Nope, I don't accept this answer.   This is not even related to the technical nature of my question.

However, to answer your extreme digression on my technical question:
We use tripwire change control to log administrator changes of the nature you speak of; anyone who is naive enough to depend on their users to enforce security in the manner you speak of is going to be hacked in a big way.    Users are a security threat, administrators are Users with more access than others.  No technology beats a good security policy and someone who is smart enough to enforce it, security is a delicate balance between protecting information and
sharing it with the right people.  

None of our users are allowed local administrator access on our terminal server farm, so the environment you speak of is
NOT "normal" for us.

Are you the only expert available?

thanks,
-matt
0
 
LVL 4

Expert Comment

by:GreenfieldIT
ID: 16829771
matt, i don't know of any way to accomplish this.

i usually create an identical user to one i want to test and log in as the test user. you can just right-click the user in question and hit copy

other way is to go get {reference to cracking tool removed 07-Jun-06 --alimu/Page Editor}} and grab everbody's password.  ; )

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 16829924
matt402,

you are, of course, welcome to leave the question open - someone may have a clever work around I've never heard of - but the question - the subject of the question "If using a domain admin account, how do you login as another domain user without a password?" I have answered with a "it's not possible".  At the very least, it's not possible without using a third party program.

I'm sorry if you don't like my explanation as to why Microsoft wouldn't allow this (I admit, it's based on my experience and knowledge of Windows and from what I've read and understood talking to others in the industry, reading magazines, and talking with microsoft techs when I've had a question and NOT based on any directly referenceable statement or publication).

Just keep in mind, sometimes, what you want to do cannot be done.
0
 

Author Comment

by:matt402
ID: 16830052
Hi Leew,

That's a good point -- I agree that it is possible that it cannot be done using any available tool.   I posted
though, because I'm not sure I know all the available tools.  I appreciate your patience and apologize if
it seemed like I don't like your explanation -- its really just that I don't agree that one person can decide
that the question is impossible of resolution,  and that it in fact might be difficult for a team of Microsoft
Windows Server programmers to determine if it was possible of resolution. :)

If we can leave it open for a few more days -- the problem is that I can actually use Microsoft Services for Unix 3.5 to
su to a user without a password (su to a local admin then su to a user) and obtain some of that users rights,
including the rights to launch applications, although I cannot yet launch explorer as that user.     So,
I have part of my problem solved, just not all.

I'm going to try giving the local admin the local security policy
rights to "act as a part of the operating system" and "replace a process level token", which I know
are the rights required to do this type of user replacement without a password.  I'm just curious to find
out if someone has already figured out a way or written a program to do this -- my coding experience is slight and long
ago, so I don't want to write the program to do this, myself.  :)

thanks,
-matt
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 16830067
Matt402, I have to agree with leew, there is nothing built into windows to do what you want. however there are many ways to acomplish the testing on the terminal server. The first is to log on to the server as and administrator and have a user log on and shadow their session. This will allow you to test and change everything you need. The second is to create a user with the same permissions and what you believe to be a similar profile. test it well and chances are they will all work the same. (This is greenfieldIT's solution). As for the other parts of the question, as administrators on a network (at the highest permissions)we have the ability to send emails from anyone to anyone, have the ability to take ownership of files, delete logs, etc. To go futher would be violation of EEs policies on hacking
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16832092
Actually, yes you can do it, even without knowing the password.  All you need is Systems Management Server and remote observation of the machine [which includes remote execution and keystrokes, you effectively become that user from a remote machine, usually your local server console].

His screen becomes your screen, it changes as he types, and you can actually type or point and click as if it were his mouse and/or his keyboard.  In fact, it is extremely difficult to detect, and how it can be proven I'm not going to state because most administrators on Windows systems do not know how it can be detected at the user's machine, but believe me, it can.

There is a way to do this on any system in fact.

But for Windows, check out Systems Management Server [SMS].

Also, since the Operating System knows the password and all SID's for the user, SMS doesn't even need the user's password, it simply uses the stored hash and username for instant logon and instant machine logon.
0
 
LVL 14

Expert Comment

by:alimu
ID: 16839865
A much simpler option and what we do in our environment is setup testing accounts that let us mimic our average user.  You just shift these into the same OU the user is in, give it the same group memberships and voila... you have a test account that will let you login and simulate your average user.  When you're finished testing, dump the account.  

These guys are absolutely correct, Active Directory does not allow you to impersonate another user without their password.  The whole point of non-repudiation is the ability to prove a specific user was really the person doing stuff on the system.  Being able to use their account without their permission (this is essentially what you're suggesting) would make that impossible.  In most business environments, doing something like this has the potential to turn into a legal minefield.

GinEric's suggestions about the SMS remote desktop will let you shadow a user's desktop without their permission only if you set it up that way.  It also requires the user to actually be logged in and the machine unlocked for you to be able do anything and I think they'd notice that their mouse was moving around the screen if testing on the user's behalf without their involvement was what you were after.
0
 
LVL 14

Expert Comment

by:alimu
ID: 16839875
sorry wingatesl, just noticed you mentioned a dummy user already :)  apologies for being repetitive
0
 

Author Comment

by:matt402
ID: 16840204
alimu -- non-repudiation is a legal, not technical concept.  Repudiation refers to the ability of a signer to claim a document was forged/coerced if it wasn't witnessed.  Several people believe that technical mechanisms such as digital signatures provide cryptographic evidence that a document was not forged and therefore should be non-repudiable.   A users login password, in most cases, is not the cryptographic equivalent of a digital signature, and even if it were -- i have heavy doubts as to whether non-repudiation applies, as I can think of several situations where someone could coerce a user to login to a computer, much less execute a digital signature.   I don't agree in general with the concept of technical non-repudiation,  I prefer to have a witness with a heartbeat.

GinEric -- does SMS require the user be logged in, or can you create a session as them  even if they are not?

Still looking for someone who intimately understands local security policy and the rights to "act as a part of the operating system" and "replace a process level token", and if any existing programs use these rights in the manner I speak of above.

thanks,
-matt
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16841656
If you deploy with SMS, you should already have automatic access and full control.  Yes, replace a proces token is part of the use of the rights in the manner you speak of.  "Act as part of the operating system" means what?  That you are Windows Server Operating System, you can do anything it does, and more, because as part of the Operating System, you can grant yourself rights to override the Operating System.  In short, you have and are System Authority, but you must still grant System Authority some special rights.

Principally, only Microsoft components that need these rights use them, OS, the databases engines, server functions, some anonymous NT and System Authority logons.

They pre-empt all other policies. [pretty much ignoring them].

Employers have to have a clause informing the employees that they will be monitored and that the employee agrees.  Evidence is in the eye of the beholder.  I could easily repuditate a digital signature as absolutely meaningless.  Much less than a paper contract, in a seasoned lawyer's terms, "A digital signature isn't worth the electrons it's written on."

Nor is a video, a photograph, even a written signature, without eyewitnesses, preferably two, who were present at the time of the alleged incident.  Witnesses are a requirement of law.  Everything else is circumstantial and questionable.  Otherwise, computers would replace human judges and juries; not a very good thing for civilization.
0
 
LVL 14

Expert Comment

by:alimu
ID: 16848710
I realise that non-repudiation is a legal term but I'm talking about it more from the auditing perspective, not from the perspective of trying to secure internet banking.
Let's say for a moment that you can impersonate a user without their password.
Another domain admin in your organisation also has this ability and has a chip on his shoulder that involves you.
He decides one day he'd like to get you into pretty deep trouble, impersonates you and starts deleting a whole bunch of
stuff out of Active Directory.  All the audit logs will say it was you making these changes.  
An investigation is launched into the vandalism and your name is all over it.  
There's no record of your password being reset by this domain admin because they didn't need to do that to use your account.  You may be able to go back and prove it wasn't you if you're really really lucky and have some good auditing logs in place,
but do you see the problem with this picture?  You said it yourself "People are security threats, not computers or operating
systems."  The system is designed to protect itself as much as possible from people.

SMS will give you full control to install and configure anything on managed systems, yes, but unless you have the user in question interactively logged on at the time you remote control them, there's no way you can take actions under their credentials (regardless of whether have the permission dialog turned off, the remote control icon turned off or otherwise).

Your question was answered by leew at: http:#16828730
It was supplemented by GreenfieldIT at: http:#16829771 with the standard method for testing a system as though you were a standard user.

The terms and conditions of Experts Exchange forbid members from supplying you with information about hacking or cracking systems or providing ways to compromise system security.  Their membership can be suspended as a result of doing so (as can yours for asking - if that is the sort of thing you're looking for here).
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 17037626
I object - Alimu stated in http:#16848710

"Your question was answered by leew at: http:#16828730
It was supplemented by GreenfieldIT at: http:#16829771 with the standard method for testing a system as though you were a standard user."
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question