Exactly where is a user's password stored if using "reversible encryption" option SBS 2003?

Just need to know where the information is actually kept. I've read up on why it can be a bad idea to do so but I am trying to figure out a simple solution that will give me access to a users password in case I should need it. Although it isn't necessary to do so often, there are and have been times I've had to log on to a users account to double check how a setting or a program might function while logged on as that user. Most of the major stuff I can do as Administrator but as I'm sure everyone might know there are those rare cases where some programs act up once you try to operate under limited user accounts. I suppose that I could ask everyone to provide them to me but I am refusing to do so because the minimum password complexity and the fact that I would have to remember to update the list every 90 days only would add to my tasks. I'd rather be able to access the information only if and when it is needed but again I don't want to keep a master list that would have to be updated. I know that I can force users to change the password when necessary but again that would not be a real solution or the one I'm seeking.
JeTopeteIT AdministratorAsked:
Who is Participating?
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You should NEVER want to know anyone's password, and it's bad practice to do so.  It only weakens their concern over keeping their passwords a secret.

A user's password is all that exists between your network and the outside world... anyone that wants to cause real havoc on your network would only need the user's password to do so... (and their username, but that's usually in their email address).  Additionally a disgruntled worker could easily claim that YOU were the one that wrote that nasty email to the boss, and who would ever know the difference?

The way to resolve your problem is to create a limited account that you use to test with. That would provide you with the solution you are seeking... except in the rare event that you need to change a configuration for a user that can't seem to do so for themselves... then you should change their password and set it to prompt them to change again upon first login.

All other methods would eventually be a bad idea in the long run, and I certainly couldn't recommend anything else.

Jeff
TechSoEasy
0
 
fruhjCommented:
Hi JeTopete,
   There are some utilities that you can use to crack passwords on your server. Beware however, as many of these are hacker/cracker tools, and I would not feel comfortable using them.

   Also at issue is - should you have this level of access?  I know you think you do or you would not have asked, but this is akin to the government having security cameras in your home - the possiblity is just too great for abuse.

  I personally make it a point to ask users to enter thier own passwords, then turn my head so as not to see them. The people I support need to know they can trust me, and to that end I go out of my way to make sure to respect thier privacy.

  Anyhow, i don't really know your situation, so don't let my preaching stop you - have a google search for 'password cracking tools' or similar.  I'd be very doubtful that anyone would post the name of one here as it's borderline prohibited on this site to discuss.

  good luck

   
 

Thanks!
0
 
JeTopeteIT AdministratorAuthor Commented:
I agree with the trust thing which is why I'd rather not resort to using a tool like the one's you mentioned. I appreciate the honesty and the point of view. I've never quite thought about it in terms of breaching any one's trust and have only assumed that everyone (as I have) accepted that this is just part today's workplace. For the most part I do as you stated; allow a user to type in their own passwords. However, and this was the case earlier today, there are times when I will have to access a user's machine and have a need to log on to their account to set up a service. Thanks just the same.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
JeTopeteIT AdministratorAuthor Commented:
Okay. I guess the limited account is a good idea and I have to admit even as obvious as it sounds it never dawned on me. Thanks for the tips and the warning.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
One thing that I might add... is that by you setting the example of how sacred passwords are, it will keep employees from sharing them with eachother... which is a horid problem.

Also, try to deploy services for users by Group Policy... then no need to log on by their username.

Good Luck!

Jeff
TechSoEasy
0
 
JeTopeteIT AdministratorAuthor Commented:
How do you pull a question?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
what do you define as "pull"?
0
 
JeTopeteIT AdministratorAuthor Commented:
Sorry, old term meaning to remove, take off shelf that sort of stuff. I can't award any points and I just don't want to abandon it.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Uh... "delete" would be the term used here.  :-)  

Just post a request to the Community Support TA.  

I would be curious though what you decided to do.

Jeff
TechSoEasy
0
 
JeTopeteIT AdministratorAuthor Commented:
Yeah delete would be good. I will do that then, post a request to Support TA to have the question deleted.
I don't think I'll do anything really. I mean, for starters I will just use a temp account when I have to do something on a machine that isn't user specific. If it is, I will just do it while the user is there if it isn't time prohibitive. I attended a seminar yesterday on Wireless Security and I know that there are programs out there that I could use to crack the SAM file but I don't think that it is worth the trouble. We're a small company here and most users are perhaps a bit naive about a lot of security issues. I've seen the passwords on sticky notes and heard the complaints because we have to change the password every 90 days. I am sure you can imagine the trouble I go through to implement even the most basic of security precautions or procedures.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Take a look at http://sbsurl.com/security which talks about "good-enough" security for small business.

I've had problems with smaller companies and changing passwords every 90 days, so I've made it every 4 to 5 months to start them off... and then eventually move it up a bit after they get used to it.

I must tell you though, that just because there was really "no" answer for your question, you should still leave it here and accept an answer or answers.  There really is no valid reason to delete this Q.

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.