General discussion


Should Techs know Users Passwords?

By Finster77 ·
We are being told by out Director that we can no longer log onto a User's PC forr support reasons using the User's account/password. Remote assistance is ok, but if it requires a rebott and the user is nolonger around, we are boned. Any thoughts. How are other helpdesks doing this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

I had to go one step further

by ScooterB In reply to It depends on the environ ...

I am the sole person responsible at a public utility and have to serve all roles from SA all way the down to the help desk. I also provide all electrical engineering support. I had to make it real easy for me. I do have admin rights on all the PC's and servers, but I had to even generate their passwords for them and make them memorize them. They were wanting to use the simple and easily breakable dictionary type or else just their name. I have to keep my network locked down as inappropriate access could effect the publics access to their needed service. So I just try to keep my heartache down and provide them with one. I don't use them except when they come to me and do the ole "I can't log in anymore". Then I have to get out my log and go log in for them. Often times explaining for the third or fourth time that they are case sensitive. So I guess it would depend on your situation as to whether you have their passwords. It will be a matter of integrity as to whether you ever use them.

Collapse -

It's a pain remembering PINs and passwords

by Gunnar Klevedal In reply to It depends on the environ ...

It is a pain remembering meaningless combinations of letters, numbers and special characters. And when I've found a god three-letter acronym that no one can guess, the next service provider requires six characters.
I am no admin. Rather I am a user among users, except that I do some local support.
We use Smart Cards with PIN codes. Every user has to remember his/her code, and the secret answers for two questions he construed himself.
I allways tell users - I don't want to know your pins or answers. Nevertheless they name their spouses,sons,daughters,pets,cars,movies etc. I've never used that information, and I tend to forget in the long run.
Users are different. Some guard the files on their home drive, and some do not know they have a home drive. Anyway I am convinced I have no right to access anyones files and folders, unless he gives me permission.

Tribute goes to John Socha

Collapse -

Depends on programs used

by zlitocook In reply to Should Techs know Users P ...

We have an all XP workstation office, if you login as the user only you can access the programs that you need. Not even an administrator can access those programs because of SOX and other restrictions. So some times you have to have access to users logins and passwords to do upgrades or fix a problem. A user can change thier password any time they want so if I need to access a system they change the password after I am done. All departments are set up with thier own GPO and security settings, we have each user locked to one computer and let others to log into the computer but can not access any other user settings on that computer. So we do need a user login to fix, update or do other things for that user.

Collapse -


by ssteinberg In reply to Depends on programs used

I have worked at companies with polar views on this. When I did have user passwords, I could configure a new pc for a user with little user interaction. Log in as user, configure Outlook/Printers and rest of profile. Deliver pc and good to go.
Meanwhile, without user passwords, I have to configure everything with the user logging in, and hanging out while I customize it. (Not that it takes long to do, but...)
At the company where I had user passwords, I also had full AD access, so I could reset their password anytime I wanted.
It comes down to security, and user inconvenience. Of course I believe I am trustworthy, but the next tech may not be. And thus not knowing the user password is frustrating for me because I have to wait on the user to complete my work. And again, I am not going to log in as them later to do malicious things.

Collapse -

BIOS passwords for laptop computers

by simon_mackay In reply to Should Techs know Users P ...


I am doing support work for a close friend of mine who is a professional art valuer who runs her business as a "one-person shop" -- i.e. a SOHO or SME job. This job has me responsible for two laptop computers and she has given me the OS password for one older unit and had me "key" the BIOS password for a new one that she just bought.

With this kind of work, I often notice that the SOHO type of user can treat their system password like their house's front-door key i.e. pass a copy of the key to a contractor or houseguest for the duration of their service or stay. They may retain the key and the householder won't often worry about whether that keyholder will revisit the premises after their tenure. This practice tends to happen more with people who aren't computer literate or simply don't have a full grasp of computing.

There should be some information on how a user can create a "contractor" password on their computer equipment, whether at OS level or BIOS level.

With regards,

Simon Mackay

Collapse -

We Know & Use Them All

by ecravens In reply to Should Techs know Users P ...

We have found that often when trouble-shooting or working a node which is logged in as an administrator will not give the same errors or settings that the "User" would have. If we go to a workstation that has had the user password changed, we simply log on as administrator, change the password of the user to one we can use, then log on as the user.

If they have changed their network password, we just change it from the server.

Our philosophy is that the equipment and software are the property of the company, provided for the user to fulfil his or her task for the benefit of the company.

Collapse -


by mary.hoerr In reply to We Know & Use Them All

I agree. I have all the user passwords. The network and admin passwords are all kept secure and never given out.

Like the other guy above, we are pretty open, and people expect others to have access to their computers and email when they're gone, except for accounting and personnel.

While in theory you ought to be able to log on as admin and do anything you need to, in my experience (with Windows 2000 and XP, at least) you can't be sure an install is going to run correctly until you log on as the user (unless the user has all admin rights). Also, you don't always get the same errors.

The security thing seems to be something of a red herring. After all, I can change the password anytime I want to, so I already have access to everything if I want it. True, if I change their password they'll know about it.

Collapse -


by awfernald In reply to Practicality

Because if you change their password for them, then the next time they try to log on, they are going to be calling you to "reset" their password. And when that happens, it logs it. Now, depending on the life cycle of your log, that may disappear before anything happens which would get people to "look" for that type of audit event. However, it's not quite as transparent as you make it seem.

Yes, you have access at any time you want, however, you do have to take an action which is "notable" to that end user, then convince them that for some odd reason their password changed on them without them doing it, or that they simply forgot the password that they had been using for the last 'x' number of months/years.

Collapse -

Security vs setting up users

by Lori Wagoner In reply to Should Techs know Users P ...

Our company has a policy that says you should never give out your password.

There have been times where it was necessary to set up profile items under the user's login and password (i.e. Outlook). At that time, I explain to the user that this can be done two ways. Either they log in and let me do the setups needed while they wait or they give me their password with the understanding that after I have set their profiles up, they must immediately change the password to something new.

When a user is new or forgets their password, we have one "system" password that is assigned to them. They must change this system password the first time they log in or understand that others could remember this password and use it to be malicious.

I agree with most commenting here that you can set up administrator groups to administrate the desktops, but when it comes to profiles, you must be logged in as the user.

Collapse -

Sarbanes-Oxley junk

by cp7212 In reply to Should Techs know Users P ...

We used to do that at our company and then the Sarbanes-Oxley Act reared it's ugly head. Now, under no circumstances whatsoever should we ask a user for their password. I accidentally asked for a password once and the user's supervisor tattled on me to my IT manager.

One day the sup was having a password problem. I came up to help her and found out she was logged on as someone else and using their account. So I narced on her. She tried to rationalize what she was doing. It didn't fly. Yes, it's immature but revenge is a dish best served cold......

I look at it this way. If I have to do something user-specific and I can't do it because of restrictions, I'm not the one who is boned.

Related Discussions

Related Forums