We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

User Password Policy

ITPro44
ITPro44 asked
on
Medium Priority
246 Views
Last Modified: 2012-05-06
Our business is run off of a SBS2003 Server.Currently I have an excel spreadsheet with all user names and passwords.  They are changed infrequently if ever.  There are several reasons for this.  I frequently need to login to peoples computers when they are gone to do various things.  Several examples of this would be:

1. Submit Billable Time - this can only be done through an application setup under their user profile.
2. Perform Various Maintenance to someones profile - without the need to schedule this prior.
3. Set an out of office reply for someone who forgot and went on vacation.
4. These are just a few of the examples.

This started when we were a smaller company and have now grown to about 50 users.  I realize this is a security risk and would like to find a good work around so that I can setup a password policy that will insure passwords are changed frequently, but allow me the same type of access without having to keep track of all the passwords.

Thanks in advance for your help and ideas!
Comment
Watch Question

My take on this:

1.  Your job is to enforce security, not convenience.  As an administrator your privates are going into the bandsaw if you lose sensitive data, not Joe User sunning himself in the Bahamas.  Enforce a good password policy using your active directory GPO.

2.  Set passwords to expire for individual users commensurate with the amount of sensitive data they have access to.  Your secretary might not need a new password every 30 days for Solitaire and a phone list.

3.  Let people deal with their own passwords, if they leave and forget to do something, reset their password to access their computer.

It sucks when you have to log into their computer to do work, this should be the exception, not the rule.

I have the same kind of environment you do, looking at your user name possibly the same industry even, and I can tell you for certain that you are better entrusting password tracking to department managers.  They should have the spreadsheet in case one of their people goes on vacation.

My two cents.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
I agree with the above.  

However - if you do want to carry on you will need to work out how you can do each of your current tasks without being able to login as the user.

With regards to out of office message - you can assign yourself permissions in Exchange to allow you to access everyone's mailbox.  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21089848.html

What maintenance do you need to perform on a users profile?

Does your billable time application not have an admin mode that will let you enter data for users?
Commented:
You could try to login to the system using an Administrator account and then do what you need to do.  In order to access programs that need to be run under a certain user you could use the "runas" command to run the program as a different user although you will still need to know the password of the user to run as.
I don't think there is any way to do what you want as any method where more than the user knows the password is a security risk.  Of course I say this not knowing how the software that you need to access under specific users works.
CERTIFIED EXPERT
Top Expert 2013
Commented:
I'm with Matt,
What if you enforce a password policy but also let the community know that if they are on vacation or there is an emergency you may have to change their password.  You can always change it login with the new PW and then they can change it when they get back.
I take my hat off to you SBS guys.  You all have to do it all (exchange, AD, tech support, etc...)
You could show the boss security guides from NSA or Microsoft. Everyone recommends password policies be set.
Thanks
Mike

Author

Commented:
WoW!  Thanks for the all the responses.  I really appreciate them all!

Matt:  I also agree with a lot of what you said.  thanks for your response.  Knowing the habits of our department heads, I probably won't entrust this info to any of them.  :)

DJL: Very slick recommendation for outlook!  You tought me something new.  Thanks!  As for Maintenance, In the past it's been cleaning up their user profile temp files, cache and what not if they have been complaing about a slower system and they happen to be out of the office.  Other random things.  The scenario around submitting billable time is that usually the user has entered in the time but didn't send it off to the accountant.  So it's all their on their profile just needs to be sent.  The admin mode does not accomodate this.

Motley74: I think I do need to more closely define when and why I need these passwords... I think if I do this then it will put the risk/benifit ratio in perspective.

mkline71:  Thanks for your kind words.  I've already filled up several hat racks, reminds me I need to go out and get another soon.  :)  I think, like you mentioned,  that established some expectations around passwords and communicating them to the users how things will be handled is the way to go.

Thanks Everyone!

Author

Commented:
WoW!  Thanks for the all the responses.  I really appreciate them all!

Matt:  I also agree with a lot of what you said.  thanks for your response.  Knowing the habits of our department heads, I probably won't entrust this info to any of them.  :)

DJL: Very slick recommendation for outlook!  You tought me something new.  Thanks!  As for Maintenance, In the past it's been cleaning up their user profile temp files, cache and what not if they have been complaing about a slower system and they happen to be out of the office.  Other random things.  The scenario around submitting billable time is that usually the user has entered in the time but didn't send it off to the accountant.  So it's all their on their profile just needs to be sent.  The admin mode does not accomodate this.

Motley74: I think I do need to more closely define when and why I need these passwords... I think if I do this then it will put the risk/benifit ratio in perspective.

mkline71:  Thanks for your kind words.  I've already filled up several hat racks, reminds me I need to go out and get another soon.  :)  I think, like you mentioned,  that established some expectations around passwords and communicating them to the users how things will be handled is the way to go.

Thanks Everyone!

Author

Commented:
Thanks!

Commented:
Glad to help.

You could perform most of the profile maintenance by logging into the workstation as an administrator, and then browsing to c:\Documents and Settings\UserName and deleting temp files etc.

Author

Commented:
yeah, I normally run utilities such as CCleaner which only empties the logged in users settings as far as I know.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.