asked on
Logging in as a User without Knowing the User's Password
There are times when a Domain Administrator needs to use a computer logged in as a particular user to set up something or troubleshoot a problem specific to that user. How can it be set up so a Domain Administrator could log in as another user without knowing the user's password and with an audit trail that says that it wasn't the user that logged in as the user but the administrator that logged in as the user?
They can't. Windows wasn't designed that way. Either work with the user directly or put in a policy that the admin changes the user's password to a known default and sets it to require changing again once the user logs in. This way, the user knows someone has acted as them.
Wasn't thinking about smartcards... that MIGHT work. Never explored it as most environments I've worked in haven't used them. However, strictly speaking, using passwords alone, it can't.
McKnife is correct in that a smartcard is the way to go. I've worked places where this exact thing was done. It provides an audit trail that is separate from authentic user logins as well.
https://www.gradenegger.eu/?p=1593&lang=en
Let me know whether you got this to work, I can assist.