thanus
asked on
temporarily login as another windows user
Back in my *nix days, when I wanted to temporarily login as one of my users, I used to
a) Copy the user's encrypted password from /etc/passwd to a temporary safe place
b) Change the user's password, login as him and do my stuff
c) Once finished, put the user's original encrypted password in place
Any ideas how could this be done in a Windows 2K3 Active Directory Environment??
Note, that I would be interested only for a procedure on a live system (no boot/reboot),
and hopefully a risk-free, tested solution.
If not, it's ok, I can always ask my user to change back the password afterwards.
Only sometimes the user might be the president, so it would be handy to have a turn-key solution for her ;-)
Thankye!
/as
a) Copy the user's encrypted password from /etc/passwd to a temporary safe place
b) Change the user's password, login as him and do my stuff
c) Once finished, put the user's original encrypted password in place
Any ideas how could this be done in a Windows 2K3 Active Directory Environment??
Note, that I would be interested only for a procedure on a live system (no boot/reboot),
and hopefully a risk-free, tested solution.
If not, it's ok, I can always ask my user to change back the password afterwards.
Only sometimes the user might be the president, so it would be handy to have a turn-key solution for her ;-)
Thankye!
/as
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The SAM is locked when the OS is running, and can only be changed safely with the password change API. It's not as simple as copying the sam db to somewhere and putting a new one in it's place, windows does have safeguards against this, in addition the tokens you recieve when you login are stored in memory, so you'd have to overwrite/change those, I know of no way to do this. Then SAM can be dumped by a process called DLL injection, I'm not sure DLL injection can change the password/hash but it most likely can, however if you did, the token would be invalidated and you couldn't access network resources, as the DC keeps a copy of the token as well, so it'd have to be changed on the DC.
And if using AD, the kerberos ticket/token needs to be updated to access resources like email, file shares, printers etc...
http://www.serverwatch.com/tutorials/article.php/2176201
http://www.only4gurus.com/v3/download.asp?resource=3078
-rich
And if using AD, the kerberos ticket/token needs to be updated to access resources like email, file shares, printers etc...
http://www.serverwatch.com/tutorials/article.php/2176201
http://www.only4gurus.com/v3/download.asp?resource=3078
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks folks
Before attributing the points to a "can't do this, no way" answer, which is not 100% satisfactory or certain,
let me try to exercise the issue a little more.
I check the windows platform sdk api, which has a function NetUserSetInfo, with which one can change the password
programmatically. I was looking for a possibility to provide the encrypted password, instead of the clear text one.
I saw it has an option to at least specify the lan manager 2.x compatible password as encrypted.
Has anyone successfully tested this or other function of microsoft APIs, with which one might be able to set the
encrypted password of a windows AD user (which he has taken from e.g. pwdump*)?
Regards
/as
http://support.microsoft.com/kb/151546
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netusersetinfo.asp
Before attributing the points to a "can't do this, no way" answer, which is not 100% satisfactory or certain,
let me try to exercise the issue a little more.
I check the windows platform sdk api, which has a function NetUserSetInfo, with which one can change the password
programmatically. I was looking for a possibility to provide the encrypted password, instead of the clear text one.
I saw it has an option to at least specify the lan manager 2.x compatible password as encrypted.
Has anyone successfully tested this or other function of microsoft APIs, with which one might be able to set the
encrypted password of a windows AD user (which he has taken from e.g. pwdump*)?
Regards
/as
http://support.microsoft.com/kb/151546
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netusersetinfo.asp
I think if there were a way, it'd be very popular by now, I know plenty of IT admins that would have wanted this back in the NT4 days, and without taking the SAM DB off-line and replacing the hash, I know of no tool or way to do this. I hope someone does however. There are GINA's you can install that will log a users password, a keylogger in effect, but not much more than that.
-rich
-rich
From a compliance perspective, I'm actually glad that this not an available feature.
You'd also figure that if someone built this feature, they would have released it to open source or made it a commercially available or shareware program solution by now.
You'd also figure that if someone built this feature, they would have released it to open source or made it a commercially available or shareware program solution by now.
ASKER
I will look into this if I have more time, I have a feeling it isn't impossible.
In the mean time, no need to be stingy, here are your points for the "can't be done" answer.
Regards
-as
ASKER
Since the SAM database can be dumped out, and you can get the users' encrypted passwords, couldn't you just safely put it back in?
Let's wait if someone could advise.
Regards
/as