(Primarily for network/sysadmins among the hardware/software forum crowd)
Hi Folks, this is a bit off topic in that it doesn't relate directly to AH (excepting that the less time I spend at work the more time I have available to play - I hope), but I have a request is for those of you out there that maintain a network of computers in a Microsoft domain environment (IE a secured work environment).
What authentication tools do you use that permits the network administrators to log in, remote to, and/or unlock a domain workstation without requiring them to either know or force them to reset the logged in user's session and/or password?
If this is confusing, hopefully what I mean can be made clear by way of example:
Bob is an admin. Bill is a user. Bill has a problem with an application on his computer. Bob needs to sign in to the computer to address the problem, but he needs to sign in as Bill, not Bob. Or, very similarly Bill is out of the office for the day and he needs Bob to do something to his computer, using a tool already running on the computer under Bill's session, or not yet running but using settings that are associated with Bill's account, such that if Bob signs onto the computer as himself, the problem doesn't exist or the software isn't running any more.
Of course, Bob can gain access if he resets Bill's password, but he then has to communicate this to Bill. Also, Windows goes braindead at times if an administrator changes the user password (heck, it does it sometimes even if the user changes their password!), and will use a cached password to attempt to authenticate over and over until the account gets locked out, unless the machine is restarted after the password change.
The reason that this is such an issue is that much of the vertical market software that we run - and that I have no way to change, as much as I might rant - is still Windows bleckware, in that it requires that the a) software be installed while the user who will be operating it is logged in and will work properly only for that user and no others on that system b) that the user be a local administrator of the machine generally both at the time of installation and in most instances also at the time of operation or it either fails to operate entirely or in some highly important regard.
Under NT through XP, I've maintained a dual-login procedure, where the user logs into the local computer as a local administrator (but not into the domain) using a standardized, unchanging password scheme, and then attaches to the network resources via a secondary process using a domain id and password. This is so I or my single staff guy could always go to the machine and login as the user of the system, yet the actual resources of potential value are secured to the individual user.
But as the Microsoft software matures (or more accurately continues down the single authentication path) the dual login paradigm is becoming increasingly problematic, as the system and resource hierarchy is increasingly based upon the user session. We're at least a year away from a Windows 7 changeover, but I intend to do away with dual-login then - and one of the challenges is making sure that managing the system's isn't as much of a headache as it currently is with the few Windows 7 systems we have in play.
I've looked at ScreenPass, and while that would work great it for the "walk up and fix" it doesn't resolve the issue of "jumping into" the user session via RDP.
So what do you guys do? Feel free to PM me with replies instead of openly posting if that seems more suited to your response.
Thanks!
