In terms of keeping compliant or showing that the staff account was not miss-used by the tech, change it. Change to a shared password while to do your work then have the user reset the password to something unknown. In the logs, if it happened prior to the user password reset then blame the tech who was sitting beside the staffer for that setup time.

This is one of my own complaints. Why can't Admin take over a user account on Windows? I'm the system admin, why can't I "Su User" and be logged in as that user?

On my *nix systems it's a non-issue.. if I need to setup something inside a user's environment or work as another user, I can simply "Su Username" and get my work done. With windows, I have to accept poor security practices and interupt the user to do what Admin should already be able to do. (And in related complaint.. why is Admin not the top level account? It is insane that System account can block Administrator from working with files.