Solved

Windows Master Password

Posted on 2016-09-19
11
48 Views
Last Modified: 2016-09-19
Hi, I have a network with a few hundred users. Sometimes we need to log in as a particular user to troubleshoot something, sometimes overnight or on holiday weekends, etc when getting the user on the phone is not possible. Is there an easy way to do this without doing it the insecure way of keeping a password list? Like a master password for lack of a better term.

Thanks.
Jon
0
Comment
Question by:Jon DeVito
11 Comments
 
LVL 29

Accepted Solution

by:
ScottCha earned 500 total points
ID: 41805419
Not if you have to log in as a particular user.  A user account can only have one password.

There is no way to set up a "master" password.  I'm assuming an admin account won't work as you need to log in as a specific user.

So, unfortunately, the answer to your question is "no".

You could always reset the password, but then you have the administrative task of working with the user to re-reset it.
0
 
LVL 17

Expert Comment

by:pjam
ID: 41805423
If you must, change their password.  Do your thing and then force a password change at the end.
Asking someones password is not a good thing, especially if something is stolen.  They can say 6 months later so and so knew my password they must have done it.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 41805429
Thanks but doing that will not work because it will break their mobile device which they use constantly. I was hoping that on a domain there could be some sort of master setup to log in as the user to configure things on their desktop, etc.
0
 
LVL 29

Expert Comment

by:ScottCha
ID: 41805433
As you have mobile devices, and that is a concern, the answer is "no".

I wouldn't want to be the one in charge of that list due to the liability and security issues.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41805435
Any kind of a master password would be horribly insecure.  No such thing exists.

At best you should change their password and then let them change it back.  You can declare (tell all users) that if you need to reset their passwords it will be ______ - something they should know - their phone number and Street name or something like that. Then you have an administrative policy - if you need to access a user's account, you notify them via email FIRST and then after 10 minutes (enough time to push out the email about the changed password, you change it and do what you need to do.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 29

Expert Comment

by:ScottCha
ID: 41805436
Again, even if you are on a domain, you get into the security of having a "master" password.  what if something happens down the way, there won't be any sure way of who did it.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 41805443
Yeah I was pretty sure that was going to be the answer but I figured let me check. We have so much that needs to get rolled out with no help & cant be done during the day so logging on as the user was the easiest option. Thanks for confirming though.
0
 
LVL 3

Author Closing Comment

by:Jon DeVito
ID: 41805445
Scott was the first one with the correct answer. Thanks for the help.
0
 
LVL 29

Expert Comment

by:ScottCha
ID: 41805451
Anytime.  Glad I could help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41805505
I'd like to add:
As always, there is some kind of way to reach your goal.
We could setup autologon with the user's credentials. Still, we would be able to secure the computer using bitlocker. For bitlocker, we can configure multiple authentication methods (="protectors"), so that the admin has one and the user has one. Result: we can start the pc and logon as user anytime we like without having to know or reset his password.

A 2nd way; there's a tool: http://www.e-motional.com/ULAdmin.htm which can entitle administrators to unlock user sessions without knowing their password. So you could ask the user to just lock his screen and hibernate the computer. You'll be able to enter his session again without having to know or reset his password.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 41805517
Very nice McKnife, I'm going to check out that tool. Its a bit on the expensive side because of the volume, but worth looking at. Thanks a lot.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now