Link to home
Create AccountLog in
Avatar of Declan Basile
Declan BasileFlag for United States of America

asked on

Logging in as a User without Knowing the User's Password

There are times when a Domain Administrator needs to use a computer logged in as a particular user to set up something or troubleshoot a problem specific to that user.  How can it be set up so a Domain Administrator could log in as another user without knowing the user's password and with an audit trail that says that it wasn't the user that logged in as the user but the administrator that logged in as the user?

Avatar of McKnife
McKnife
Flag of Germany image

It's possible. Passwords are just one of many possible credential providers. Another would be a Smartcard. Admins may enroll user accounts onto Smartcards on behalf of users and log on as them. The domain controller would log that a Smartcard is being used, that suffices as auditing. If you have a domain CA, it's done in minutes.

They can't.  Windows wasn't designed that way.  Either work with the user directly or put in a policy that the admin changes the user's password to a known default and sets it to require changing again once the user logs in.  This way, the user knows someone has acted as them.

Wasn't thinking about smartcards... that MIGHT work.  Never explored it as most environments I've worked in haven't used them.  However, strictly speaking, using passwords alone, it can't.

McKnife is correct in that a smartcard is the way to go. I've worked places where this exact thing was done. It provides an audit trail that is separate from authentic user logins as well.

ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I will add just another helpful bit: in order to determine whether SmartCards are in use for logon, you need to activate some extra logging, please read
https://www.gradenegger.eu/?p=1593&lang=en

Let me know whether you got this to work, I can assist.