Author Topic: request for administrative login tools  (Read 637 times)

Offline Ghastly

  • Silver Member
  • ****
  • Posts: 1756
request for administrative login tools
« on: August 24, 2010, 03:19:57 PM »
(Primarily for network/sysadmins among the hardware/software forum crowd)

Hi Folks, this is a bit off topic in that it doesn't relate directly to AH (excepting that the less time I spend at work the more time I have available to play - I hope), but I have a request is for those of you out there that maintain a network of computers in a Microsoft domain environment (IE a secured work environment).

What authentication tools do you use that permits the network administrators to log in, remote to, and/or unlock a domain workstation without requiring them to either know or force them to reset the logged in user's session and/or password?

If this is confusing, hopefully what I mean can be made clear by way of example:

Bob is an admin.  Bill is a user.  Bill has a problem with an application on his computer.  Bob needs to sign in to the computer to address the problem, but he needs to sign in as Bill, not Bob. Or, very similarly Bill is out of the office for the day and he needs Bob to do something to his computer, using a tool already running on the computer under Bill's session, or not yet running but using settings that are associated with Bill's account, such that if Bob signs onto the computer as himself, the problem doesn't exist or the software isn't running any more. 

Of course, Bob can gain access if he resets Bill's password, but he then has to communicate this to Bill.  Also, Windows goes braindead at times if an administrator changes the user password (heck, it does it sometimes even if the user changes their password!), and will use a cached password to attempt to authenticate over and over until the account gets locked out, unless the machine is restarted after the password change.

The reason that this is such an issue is that much of the vertical market software that we run - and that I have no way to change, as much as I might rant - is still Windows bleckware, in that it requires that the a) software be installed while the user who will be operating it is logged in and will work properly only for that user and no others on that system b) that the user be a local administrator of the machine generally both at the time of installation and in most instances also at the time of operation or it either fails to operate entirely or in some highly important regard.

Under NT through XP, I've maintained a dual-login procedure, where the user logs into the local computer as a local administrator (but not into the domain) using a standardized, unchanging password scheme, and then attaches to the network resources via a secondary process using a domain id and password.  This is so I or my single staff guy could always go to the machine and login as the user of the system, yet the actual resources of potential value are secured to the individual user.

But as the Microsoft software matures (or more accurately continues down the single authentication path) the dual login paradigm is becoming increasingly problematic, as the system and resource hierarchy is increasingly based upon the user session. We're at least a year away from a Windows 7 changeover, but I intend to do away with dual-login then - and one of the challenges is making sure that managing the system's isn't as much of a headache as it currently is with the few Windows 7 systems we have in play.

I've looked at ScreenPass, and while that would work great it for the "walk up and fix" it doesn't resolve the issue of "jumping into" the user session via RDP.

So what do you guys do? Feel free to PM me with replies instead of openly posting if that seems more suited to your response.

Thanks!
"Curse your sudden (but inevitable!) betrayal!"
Grue

Offline Dragon

  • Platinum Member
  • ******
  • Posts: 7055
      • AH JUGS
Re: request for administrative login tools
« Reply #1 on: August 24, 2010, 03:25:21 PM »



But as the Microsoft software matures




This is where I fell out of my chair.   :lol :lol
SWchef  Lieutenant Colonel  Squadron Training Officer  125th Spartan Warriors

Offline Heater

  • Silver Member
  • ****
  • Posts: 1381
Re: request for administrative login tools
« Reply #2 on: August 26, 2010, 02:07:49 AM »
IF I understand you correctly...
then is sounds like you need to be able to take control and / or Monitor the remote system...
the remote desk top function may help in some cases but not all....

We use to use PCAnyWhere

But have moved on to Linux :)
HiTech is a DWEEB-PUTZ!
I have multiple personalities and none of them like you !!!


Offline RTHolmes

  • Plutonium Member
  • *******
  • Posts: 8260
Re: request for administrative login tools
« Reply #3 on: August 26, 2010, 06:23:29 AM »
yeah this is a major PITA. although you can change users' local account passwords from the administrator account (then just give them the temp password and let them reset it) it seems to cause plenty of problems like losing stored web passwords. its like windows doesnt trust the root account (bizarre behaviour if you come from a *nix background), or perhaps the keychain is just badly implemented.

why not just have the user accounts authenticate via the PDC rather than locally? then you can change passwords temporarily on the PDC which seems to avoid the issues above, then give the user the temp password so they can reset it. you dont have to use roaming profiles if you dont want to, just domain auth with local profiles.

also do you really have to give users administrator accounts (even locally)? not a great idea ...
71 (Eagle) Squadron

What most of us want to do is simply shoot stuff and look good doing it - Chilli

Offline Ghastly

  • Silver Member
  • ****
  • Posts: 1756
Re: request for administrative login tools
« Reply #4 on: August 26, 2010, 10:28:53 AM »
Unfortunately, a *nix based solution would solve the problem - but would eliminate the software we need to use too.  I run Linux on my laptop, but it won't work as a general workstation because of how married we are to several vertical market apps that are WinX only.

RTHolmes, that's exactly what we do now, but it's definitely not ideal.   Especially since if you change the user password while they have a session already open so you can unlock the workstation, if they have something like Outlook or a search tool indexing process that's Outlook aware, or even some of the applications that are UNC aware running, at times Windows goes into a loop where it repeatedly attempts to authenticate with the cached password and you have to restart the workstation in order to keep the user account unlocked long enough to authenticate - you can't even unlock the screen saver to save what's running.  It's literally a forced shutdown.  That works real well when they're running a project that might have been running for several hours (or perhaps days) when you take it down. 

And I agree, software that requires the user to be a local administrator before operating correctly sucks.  Unfortunately,  of the 20 employees at our firm 18 use one of 2 applications that require it virtually all day every day, while a significant number use one or more of several others from time to time.   And since we've been using these software applications since the firm was a firm and changing the software over to something else (much if which isn't much "better behaved") would be a multi-million dollar project taking a minimum of a year tying up myself and my other IT guy full-time - let's just say that it ain't going to happen, and even I wouldn't want it to unless it's for a significantly more important reason.

Dragon, what I meant by matures (I'm not quite sure which way you took it) is that Windows had it's start as an application running single user/single application on top of a single user OS platform.  The stuff I'm struggling with now was put to bed in *nix and other mini/mainframe OS's - designed to be multi-user - nearly 50 YEARS ago.   MS is still trying to transition Windows to be "real" - hampered by the fact that they don't want it to actually 'be' a multi-user OS.

Thanks for the replies, gents.  I do appreciate it.  I was hoping that someone had an insight into an alternative authentication system that could be integrated into the domain that would solve this.  I can't find one, but it's not the sort of software most small companies are generally searching for.

<S>
"Curse your sudden (but inevitable!) betrayal!"
Grue

Offline RTHolmes

  • Plutonium Member
  • *******
  • Posts: 8260
Re: request for administrative login tools
« Reply #5 on: August 26, 2010, 11:09:37 AM »
Windows had it's start as an application running single user/single application on top of a single user OS platform.  The stuff I'm struggling with now was put to bed in *nix and other mini/mainframe OS's - designed to be multi-user - nearly 50 YEARS ago.   MS is still trying to transition Windows to be "real" - hampered by the fact that they don't want it to actually 'be' a multi-user OS.

yeah, incredible isnt it? windows kinda looks ok from a user POV, peek under the hood as a sysadmin and its a complete dog's dinner. I'm beginning to think ACLs are the only thing MS has done right over the years.

apps that require an admin account to run under? on an OS which is so vulnerable to malware? just ... dont get me started on windows software suppliers ...


anyhoo I read your post as currently:

USER/MACHINE logs onto MACHINE/DOMAIN, then logs into to network resources as USER/DOMAIN.

I was suggesting trying:

USER/DOMAIN logs onto MACHINE/DOMAIN, then connects to network resources transparently as USER/DOMAIN.

you could then store the USER/DOMAIN profile either locally on the MACHINE, or if you want as a roaming profile on the NT domain controller (PDC). this is how we do it at the moment, with everything authenticating via the DOMAIN, but the profiles stored locally. I'm going to implement roaming profiles at some point (not needed for roaming, but vastly simplifies backups), but we had problems with the profiles being corrupted and slow logons so reverted to locally stored profiles.

changing a user's password on the DOMAIN seems to avoid the problems you get when changing a user's password on a MACHINE, although I cant remember exactly how it deals with network resources its already connected to. iirc the connection persists.
71 (Eagle) Squadron

What most of us want to do is simply shoot stuff and look good doing it - Chilli

Offline Ghastly

  • Silver Member
  • ****
  • Posts: 1756
Re: request for administrative login tools
« Reply #6 on: August 26, 2010, 01:35:47 PM »
Quote
USER/DOMAIN logs onto MACHINE/DOMAIN, then connects to network resources transparently as USER/DOMAIN.

This is how the Windows 7 system's currently do - it must be one of the apps that has a cached password.  It doesn't happen all the time - just often enough to be a huge PITA.


Quote
USER/MACHINE logs onto MACHINE/DOMAIN, then logs into to network resources as USER/DOMAIN.

This is what I've done from NT through XP, and what I need to do away with.  Too much of the current software bases too much of it's functionality off of the session credentials - or in this example, USER/MACHINE.

Anyways, thanks for the responses.  I'll keep looking for a good solution.

<S>
« Last Edit: August 26, 2010, 01:38:04 PM by Ghastly »
"Curse your sudden (but inevitable!) betrayal!"
Grue

Offline Reschke

  • Platinum Member
  • ******
  • Posts: 7724
      • VF-17 "The Jolly Rogers"
Re: request for administrative login tools
« Reply #7 on: August 26, 2010, 03:23:33 PM »
I can ask our IT guys what they would suggest since they are still dealing with XP based systems and honestly we are probably 2-3 years away from upgrading into a Win7 systems unless we are forced into it when we get our new laptops. However we are sitting on so many laptops due to laying off people that I would not be surprised if they don't start recycling ours back around around mid-year next year. Our company went from 500 to 150 employees and of those probably 1/2 of the ones laid off had laptops instead of desktops.
Buckshot
Reschke from March 2001 till tour 146
Founder and CO VF-17 Jolly Rogers September 2002 - December 2006
"I'm baaaaccccckkk!"

Offline Reschke

  • Platinum Member
  • ******
  • Posts: 7724
      • VF-17 "The Jolly Rogers"
Re: request for administrative login tools
« Reply #8 on: September 01, 2010, 09:20:46 AM »
The IT department at the company I work for uses Bomgar http://www.bomgar.com/ for all their admin stuff and it works pretty well through a VPN from what I can tell. They have installed updates and changed configurations and other things on my work laptop with me watching. I think they need to have authorization from the user but I seem to remember them telling me that when I am logged into the physical network at the home office in Wisconsin they can do anything they need to without my consent...meaning I don't have to hit a link for them to access the system using Bomgar...or maybe that is something else in the Novell client that we have to log into to get access to SAP.
Buckshot
Reschke from March 2001 till tour 146
Founder and CO VF-17 Jolly Rogers September 2002 - December 2006
"I'm baaaaccccckkk!"

Offline Ghastly

  • Silver Member
  • ****
  • Posts: 1756
Re: request for administrative login tools
« Reply #9 on: September 01, 2010, 02:34:10 PM »
Many thanks Rechke!  I'll look at it, a quick look at the web site looks promising. 

Guy
"Curse your sudden (but inevitable!) betrayal!"
Grue