Solved

How to access the microsoft user settings without actually logging into the system as  that user.

Posted on 2016-08-18
6
63 Views
Last Modified: 2016-08-21
At my work there are times when I must logon as each specific user in order to make sure that some user settings are properly established.  Such as:

- When we are implementing a new Citrix farm and we are using new Microsoft Terminal Servers.  

Initially it will take a while to load a roaming Citrix user profile on each specific new server; but after it has been loaded, it logs on much faster.  Equally important I want to make sure that the Google Chrome settings are copied over, because Google Chrome settings are not automatically transferred over.

One of our users complained to me that at every other work place no one from their IT department has ever asked him for his logon credentials.  They just have another way to check that stuff.  In fairness, I do try to be pro-active in taking care of user problems instead of being re-active.

can anyone inform me of a tool that will allow me to logon as a user on a server or workstation in our Active Directory Domain without actually asking those users for their AD logon credentials?  We use Windows Server 2008 R2 and Windows Server 2012 R2.
0
Comment
Question by:Pkafkas
  • 3
  • 2
6 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 41761671
That user was right, and that has nothing to do with being pro-active or re-active.
There is no way to do so, there is no need for it, you shouldn't even consider it, full stop.
This is in the user's best interest as well as yours.
Think of it this way: if you have a user's logon information, he can, for example, write whatever he always wanted to say in whatever tone he wanted to say it to his boss or whoever else, and then claim it was you, because you have his logon information.
You test whatever you have to test with a dedicated test user, setup exactly like your other users, and that should be enough.
0
 

Author Comment

by:Pkafkas
ID: 41762998
OK OBdA

Let me inquire about a few things?

Network Security aside, passwords can always be re-set after the fact.

1.  How may I create a user account for a user on a new server, without actually logging on is as that user?.  
         a.  Where I must copy the Google Chrome settings, from another device?

The only way to do this, that I am aware of, would be to have the user logon as their account and then logout and then... I can go about doing this.  Do  you know of another way?


2.  How to setup the Outlook settings for a user's profile (Using Outlook 2010) without loggining in as that user and manually following the Outlook setup wizard?


3.  My question is not if that is good security design, my question is how to logon to a system without that users login credentials to setup the user's settings.


Quite frankly, if I did not do these things the users would flip a gasket and complain by saying every time there is a IT update I loose all of my information and I cannot get anything done like I used to.  They would continue to say that these settings should have been setup before I logged on.  I do not have any time for these inconveniences.  In a perfect world we would follow the rule book for security to the code.  But sometimes the reality is you have to work with what you have and manage it the best you can.  Again, my original question is:

How may I create the user's windows and application settings without that users login credentials?   Is there by chance an application that works this way so I do not have to logon as those users?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41763146
1. Can't follow you, sorry. User accounts are created in the domain, not on a server, and creating an AD account doesn't require a user's logon.
1a. Classic case for a logon script. Don't know where Google keeps its settings and whether they roam or not, but in general, you can use a logon script to copy settings during logon from the user's Home drive or any other central location into the profile folder where you need it, and use a logoff script to copy it back to the central location.
2. I'm no Outlook/Exchange Expert, but if the correct DNS entries are set, Outlook should pretty much configure itself automatically.
3. You can't. You can reset the user's password, but that's totally different from knowing his password - password reset is by default an audited action, and the user will know that his password was reset, because you can't set it back to the original.

So either you have a centralized management and standardized user accounts and settings - then you can use logon/logoff scripts, GPOs, and GPO preferences to your heart's content to make sure everything is set up the same way for every user.
Or you have some open environment where every user can choose his own desktop background, screen saver, applications, whatever, and enjoy their freedom - but then they can't realistically expect you to hold their hands while they configure their applications.
That said, a Citrix/Terminalserver environment is by design a classic case for a standardized environment, giving you all the power of scripts and GPOs to avoid having to configure anything manually. That includes pretty much any Windows and application setting there is - it's just a matter to find out which registry setting and file holds which configuration.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 15

Expert Comment

by:joharder
ID: 41763156
Totally agree about not proxying in as any user.  The downstream repercussions from your Information Security folks would not be pretty.

Maybe think about setting up a few test accounts so that you can confirm functionality for users or changes to functionality.
0
 

Author Comment

by:Pkafkas
ID: 41763349
The object of this questions is how to setup a user's account on a new terminal server without using that user's logon credentials.  It has been said that you cannot.  That is what I wanted to know.

It is not the objective for you to "follow" our users' expectations.

I think my co-worker must be accessing published applications (from other Citrix Farms) instead of accessing published Desktops (we have published desktops in our Citrix environment) from these other places.  That must be how other IT Departments are able to change/update application versions and Citrix Servers while not have to bother with setting up the initial user settings that are not transferred over easily.

Without getting off topic, might anyone else know how to logon to a new Terminal Server to access a published desktop (that has user specific settings) besides logging on as the user itself?
0
 

Author Comment

by:Pkafkas
ID: 41764656
I am going to close this case because it appears that there is no other way to setup a local user account on a new on a new terminal server.  That was my question and to hopefully get a think tank generated about how others may give the appearance about changing settings.  I think my theory about published applications is a pretty good one.

I am going to award oBda the points; but, I am not happy about it.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now