General discussion


Should Techs know Users Passwords?

By Finster77 ·
We are being told by out Director that we can no longer log onto a User's PC forr support reasons using the User's account/password. Remote assistance is ok, but if it requires a rebott and the user is nolonger around, we are boned. Any thoughts. How are other helpdesks doing this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Never know a users password

by jdclyde In reply to Should Techs know Users P ...

If you know the password and something bad happens, then they can blame you instead of taking the burn themselves.

This is one of the first things they teach in security as well, that you tell the users never to give their passwords out to anyone. If support can call and get a password, then you also have your social engineering to hack they company. The people are easier to hack than the systems are.

It is sometimes a pain, but this policy is there for a good reason.

Good luck.

Collapse -

admin rights

by gralfus In reply to Should Techs know Users P ...

Our techs all have admin rights on all PCs in the domain. Thus, we can do anything we want with the systems in question. Auditing requires that you not know their passwords, otherwise the company can be help up to legal difficulties in wrongful termination suits. "I didn't do that, someone logged in using my name and password. Everyone knows the techs have our passwords."

Collapse -

Never, ever give out your password

by gario In reply to Should Techs know Users P ...

Not good security policy to give out passwords. Help Desk/Tech Support personnel should have Admin priviliges for remoting and logging onto workstations.

Collapse -

Yes or No

by maxwell edison In reply to Should Techs know Users P ...

If they make that choice, then they suffer the potential consequences. If it's an inconvenience, let it be to them, not to you.

If, on the other hand, they want you to "be all" and "do all" at "all times", then they have to give-up a certain amount of privacy.

It's their choice, and you should make it clear what the repercussions of that choice really are -- then let them make it.

Collapse -


by jjdgraz001 In reply to Yes or No

We use a user account for troubleshooting problems. All of us have admin privileges on the network so if we try an application and it works, but it doesn?t work for a user. We have to troubleshoot it with user privileges. That is why we have a troubleshooting account. The users don?t have to give up there account credentials.

If the problem is Exchange related, Or if they have a problem with there e-mail that can?t be replicated unless the specific user is logged in, then we reset the user?s password to our default, troubleshoot / repair the problem, and force the user to change there password when they next log in.

Users have to have confidential passwords, and they have to have confidence that they are the only ones that have them. Even if we can get into see what they have saved on their desktops, or working folders.

Collapse -

By the way - It might depend

by maxwell edison In reply to Should Techs know Users P ...

In some companies, an employee might actually have an obligation to protect the privacy of some things on a computer. Other companies may not.

In my office, for example, we're pretty much an "open book" company (except accounting and payroll and such). Therefore, the company policy is that there is absolutely no expectation of privacy, and if a person is on vacation or out of the office, someone else might have to access his or her files -- or even his or her email -- to deal with a company issue that might arise.

So I suppose it depends on a lot of things.

Collapse -

Knowing User Passwords

by BFilmFan In reply to Should Techs know Users P ...

Depending on your enviornment, you having a user's passwords could quickly run you into issues with SOX, HIPAA, etc.

I would recommend that a group with admin rights on the PC be created that has remote desktop management capabilities. That would resolve the issue, since admins in that group would have rights and could sign whatever applicable non-disclosure agreements were required.

Collapse -

Admin rights?

by trockii In reply to Should Techs know Users P ...

I am the IT director for the company i work for and I make everyone's passwords when i create their user acccounts. I have a default password I use and then force them to change it after initial login. There's no reason I need to know their password. I can do everything and more logging in as myself than as if I was to log on as them. With the right policies and domain admin accounts this wouldn't be an issue. If you feel you need more access then tell your boss what rights you need. Explain what is happening and he should be willing to listen and give you more rights. Just show you can be trusted with this priviledge and don't abuse it. It will make his and your job alot eaiser.

Collapse -

The other side of the coin

by teligence In reply to Admin rights?

My company's policy states basically that since these PCs are Company property the "Company" (i.e. IT) has blanket authorization to access any data on any device anywhere in the Company for any reason at any time.

Simply put - the Company paid for it, the Company has full right to any information on it or associated with it.

The users must sign they they have "read" and accept Company policies. (Yeah, right. Just like all of us read the entire license agreement for every software installation on every PC...) However, it is there and if the user chooses to accept it "blindly", then that's their choice.

As far as having access to their specific profile should the need arise for profile specific software installation or troubleshooting, as admins, we can always change the user's password to access their complete profile to assist them as needs arise.

Our old "mini-mainframe" had a very handy special feature - it allowed us to enter the username of an individual, but enter the admin password which allowed us to access the user's profile - just as they would. In addition it logged the port number, time, date, and the fact that the "admin" access was used for that particular session. This prevented a user from making any deflective statements and IT being a target. If Windows Server had that feature it would sure make my job that much easier - I mean, "It would allow me to support this Company resource that much more effectively" !!!

Collapse -

It depends on the environment..

by TomSal In reply to Should Techs know Users P ...

Here we are a 100 employee, privately held shop were for the last 7 out of 8 1/2 years I was the one who had all responsibilities for keeping any documentation that related to IT, as well as being tech support and the sole administrator. In my case there was no way around me having to know user's passwords. There is an encrypted and password protected file store on a network drive (that is backed up nightly) that only the admin group has rights too -- the passwords for ALL users (include from reception to the CEO) is stored in that file. I'm the one who maintains it when passwords are changed, employees leave or new hires come in.

Further more our work force (and I know this sounds judgmental but I'm just telling the truth, as people they are mostly very good people) is very low end computer users.

They forget passwords left and right like you won't believe. For a while we had a policy that each time they forgot a password a new one was assigned. Well some users forgot with such regularity that the admin overhead was just ridiculous (especially when you are the lone person supporting 100 users, plus all the "paper" and administrative duties of maintaining an IT department).

However, we are switching our policy as we upgrade systems from 98 SE to XP, the new policy will be like others said -- admin only rights for the techs no more using user passwords.

Related Discussions

Related Forums