I am the Domain Administrator. Is there a way I can log on to a workstation, as a User, without knowing their password?
I know I can reset the user password from Active Directory. But say I did this, how can I put their old password back after I've temporarily reset it to something I know?
EDIT:
It's a nice thought to think we can configure everything through group policy, and that users are even smart enough to complete basic first-time use wizards.. but this is a reality question, not a theoretical one. I agree with you, but when I'm asked to configure outlook on a users desktop, I will honour their request without argument.
And of course, this is ethically obtaining access, whilst the end user is on the phone to me.
Imho - The best solution would be to use a client management tool that allows you to remotely overtake a running user session for the time of fixing the tech problem (*).
You would call the user first, and ask him/her to make sure to close all open programs/windows that may underly restrictive access limitations by company laws, plus - if private usage of the company computers is allowed - to close all programs/windows that may be related to that. Furthermore, the management tool will inform your user about your takeover by a message like: "Do you want to allow admin-xyz to gain control over your desktop?", and the user needs to Ok that. Another good thing about that kind of software is, that the user can see what you are doing on its machine. Much more transparent than 'fixing things in the dark'.
I also totally agree to nhinkle's comment - do not ask your users for their passwords! One thing is the mentioned social engineering factor, the other one is that you need to protect yourself from heart attacks by knowing to what kind of amazing passwords your users rely to..
As Domain Administrator you shall be able to log on the machine. Usually the screen says: only XXXX or a Administrator can unlock this session.
You never impersonates the user on windows. But you switch user and then manage the session and eventually kill the user session.
By the way, I don't see anycase where you would need to impersonate a user.
As a reference you can look at mssocial.
I understand both sides of this political debate. It's "best" to never log in as them but in small shops you often don't have the tools in place to do that. If you don't want to ask the user for their password (I agree you shouldn't ask) then the only option I've seen is to change their PW, then when done set it to expire, tell them the new one, and that when they log back in they will be prompted and can change it back to the old one... unless you've set your AD GPO Password Policy to remember X old passwords. In that case the only option is a new one.
Change it and let them know it has been changed (set it to change on first use once you're done so they can change it to something they want).