How to access the microsoft user settings without actually logging into the system as  that user.

Posted on 2016-08-18
Medium Priority
Last Modified: 2016-08-21
At my work there are times when I must logon as each specific user in order to make sure that some user settings are properly established.  Such as:

- When we are implementing a new Citrix farm and we are using new Microsoft Terminal Servers.  

Initially it will take a while to load a roaming Citrix user profile on each specific new server; but after it has been loaded, it logs on much faster.  Equally important I want to make sure that the Google Chrome settings are copied over, because Google Chrome settings are not automatically transferred over.

One of our users complained to me that at every other work place no one from their IT department has ever asked him for his logon credentials.  They just have another way to check that stuff.  In fairness, I do try to be pro-active in taking care of user problems instead of being re-active.

can anyone inform me of a tool that will allow me to logon as a user on a server or workstation in our Active Directory Domain without actually asking those users for their AD logon credentials?  We use Windows Server 2008 R2 and Windows Server 2012 R2.
Question by:Pkafkas
  • 3
  • 2
LVL 86

Expert Comment

ID: 41761671
That user was right, and that has nothing to do with being pro-active or re-active.
There is no way to do so, there is no need for it, you shouldn't even consider it, full stop.
This is in the user's best interest as well as yours.
Think of it this way: if you have a user's logon information, he can, for example, write whatever he always wanted to say in whatever tone he wanted to say it to his boss or whoever else, and then claim it was you, because you have his logon information.
You test whatever you have to test with a dedicated test user, setup exactly like your other users, and that should be enough.

Author Comment

ID: 41762998

Let me inquire about a few things?

Network Security aside, passwords can always be re-set after the fact.

1.  How may I create a user account for a user on a new server, without actually logging on is as that user?.  
         a.  Where I must copy the Google Chrome settings, from another device?

The only way to do this, that I am aware of, would be to have the user logon as their account and then logout and then... I can go about doing this.  Do  you know of another way?

2.  How to setup the Outlook settings for a user's profile (Using Outlook 2010) without loggining in as that user and manually following the Outlook setup wizard?

3.  My question is not if that is good security design, my question is how to logon to a system without that users login credentials to setup the user's settings.

Quite frankly, if I did not do these things the users would flip a gasket and complain by saying every time there is a IT update I loose all of my information and I cannot get anything done like I used to.  They would continue to say that these settings should have been setup before I logged on.  I do not have any time for these inconveniences.  In a perfect world we would follow the rule book for security to the code.  But sometimes the reality is you have to work with what you have and manage it the best you can.  Again, my original question is:

How may I create the user's windows and application settings without that users login credentials?   Is there by chance an application that works this way so I do not have to logon as those users?
LVL 86

Accepted Solution

oBdA earned 2000 total points
ID: 41763146
1. Can't follow you, sorry. User accounts are created in the domain, not on a server, and creating an AD account doesn't require a user's logon.
1a. Classic case for a logon script. Don't know where Google keeps its settings and whether they roam or not, but in general, you can use a logon script to copy settings during logon from the user's Home drive or any other central location into the profile folder where you need it, and use a logoff script to copy it back to the central location.
2. I'm no Outlook/Exchange Expert, but if the correct DNS entries are set, Outlook should pretty much configure itself automatically.
3. You can't. You can reset the user's password, but that's totally different from knowing his password - password reset is by default an audited action, and the user will know that his password was reset, because you can't set it back to the original.

So either you have a centralized management and standardized user accounts and settings - then you can use logon/logoff scripts, GPOs, and GPO preferences to your heart's content to make sure everything is set up the same way for every user.
Or you have some open environment where every user can choose his own desktop background, screen saver, applications, whatever, and enjoy their freedom - but then they can't realistically expect you to hold their hands while they configure their applications.
That said, a Citrix/Terminalserver environment is by design a classic case for a standardized environment, giving you all the power of scripts and GPOs to avoid having to configure anything manually. That includes pretty much any Windows and application setting there is - it's just a matter to find out which registry setting and file holds which configuration.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

LVL 15

Expert Comment

ID: 41763156
Totally agree about not proxying in as any user.  The downstream repercussions from your Information Security folks would not be pretty.

Maybe think about setting up a few test accounts so that you can confirm functionality for users or changes to functionality.

Author Comment

ID: 41763349
The object of this questions is how to setup a user's account on a new terminal server without using that user's logon credentials.  It has been said that you cannot.  That is what I wanted to know.

It is not the objective for you to "follow" our users' expectations.

I think my co-worker must be accessing published applications (from other Citrix Farms) instead of accessing published Desktops (we have published desktops in our Citrix environment) from these other places.  That must be how other IT Departments are able to change/update application versions and Citrix Servers while not have to bother with setting up the initial user settings that are not transferred over easily.

Without getting off topic, might anyone else know how to logon to a new Terminal Server to access a published desktop (that has user specific settings) besides logging on as the user itself?

Author Comment

ID: 41764656
I am going to close this case because it appears that there is no other way to setup a local user account on a new on a new terminal server.  That was my question and to hopefully get a think tank generated about how others may give the appearance about changing settings.  I think my theory about published applications is a pretty good one.

I am going to award oBda the points; but, I am not happy about it.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question