How often do you login as a user?
Posted by corruptboomerang@reddit | sysadmin | View on Reddit | 326 comments
So I work for a small organisation, about 75 staff. Anyway, we've been deploying new devices, and my boss wanted me to login as the user to make sure. He then said, even if I change someone's password through AD, I should login as them 'to make sure'... Obviously, this is not best practice. But at the end of the day, I get paid...
So got me thinking, how often do you actually, login as one of your users (not as a test user or anything, actually login as the user)?
Forumschlampe@reddit
As another personal user? Never
sderby@reddit
Wtf never
InitiativeEconomy881@reddit
The amount of replies from admins saying the opposite is mind boggling. If you are any way decent at the role there is never a legitimate need to sign in as the user
yummers511@reddit
Pretty much everything can be scripted or figured out ahead of time, but we have someone log in as the user's account before they start just to get the Outlook etc. first runs and setup out of the way as well as a brief spot check. Once that's done, the account is marked to change password on next sign in and the next person to sign in is the new employee on their first day.
colajunkie@reddit
So you put that company wide mail "the CEO is a dick" into his outbox!
badaz06@reddit
Agree and disagree. Technically, you're 100% right, but that small shop mindset is hard to break from, and even if OP tells the CEO of company that this is not a best practice, the CEO is likely to tell the OP that it's his company and he ultimately determines what is and isn't a best practice.
This isn't the hill to die on.
i8noodles@reddit
i disagree completely here. i would never do that even if the CEO told me. the reason is, the CEO doesnt own the business, they work FOR the business. in some cases yes they are both owner and ceo but thats rare if u have a business large enough that requires a full time admin, and they dont know them personally.
rosseloh@reddit
One day we'll be at the point where my users know how to put all their data in OneDrive or on a server share and log into accounts by themselves. And where I have a bunch of useful automation doing all the things I currently do manually to transfer stuff they haven't done that way.
One day.
One day we'll also have users who know how to read the really obvious instructions on how to set up their own MFA, too...
bobbybignono@reddit
Same here, if i would i would have to go to go to the security officer to get yelled at, no thank you.
When users get the new laptop they have to login and we help them setup outlook and additional mailboxes & other software.
Boilergal2000@reddit
User has to set up MFA at first log on, so never.
darkvash@reddit
Exactly. I don't even try to login.
shikkonin@reddit
That is the only correct answer.
jack1729@reddit
And not even then ( at Never)
FlickKnocker@reddit
While more time-consuming, the best course of action would be to arrange a time to either remote or physical review the setup with the end-user, particularly C-level or VIP users.
"Hi John, I just wanted to make sure everything went smoothly with our setup steps. Can I shadow you for a few minutes to make sure everything seems ok?".
Nice way to build rapport/trust with users, and you're there if something is wrong to fix it and update your documentation/scripts, etc. if something is not right on your end.
Middle-Program-8839@reddit
This is what I do.
corruptboomerang@reddit (OP)
Oh that would be very bad... Because my boss would want to take the credit, but also have me do all the work. 😅😂
FlickKnocker@reddit
Making your boss look can make you indispensable and gives you ammo for performance reviews, raises, etc.
corruptboomerang@reddit (OP)
My boss isn't the one who gives pay rises, but also long term I don't see them as having the budget to give me significant pay increases.
Downtown_Struggle_62@reddit
He's gonna do that anyway.
IdiosyncraticBond@reddit
And blame you for all that goes wrong
corruptboomerang@reddit (OP)
Yes. A few months ago, I was told at 4pm, just update app on X VM, it'll just be a quick fix, we need it done for tomorrow.
I should have twigged when I noticed the last update was in 2012 (I suspect that was the last time we had an actually competent IT Person, because that's when most of the proactive stuff stopped being done, now if it's not broken, we don't touch it). But needless to say there was a problem, turns out the database was in single user mode, and needed to be in multi user mode. Anyway took me hours to work out what was going on, and the system was down for a few hours during the process. Needless to say, dispite asking/telling boss every step I was talking and all the steps I was doing to troubleshoot it... I was blamed for it.
Downtown_Struggle_62@reddit
That's the job.
TheBlargus@reddit
This is very bad practice. The deployment process should be fixed to where needing to follow-up is not a thing.
DasaniFresh@reddit
Disagree. This is just an example of high touch service. You’re not getting the user’s password but still providing high end service to the C-suite employee. IT is a service to the employees who make the company money. It makes IT look good and puts the end user at ease. If they decline the assistance, fine, here is our help desk phone number. Please call if you end up needing assistance.
TheBlargus@reddit
That doesn't scale at all. Services like Autopilot are designed to address this very issue. Good IT is passive to the user and doesn't need any kind of white glove service.
DasaniFresh@reddit
Maybe in a large corporate setting but I’ve found the white glove service goes a long way in the small-medium business world. We have all of our laptops enrolled in autopilot/intune so 99% is done automatically, but we still sit with our executives and their assistants for onboarding a new device to answer any questions. You’d be amazed how far that goes with that group of boomers.
apatrol@reddit
For sure. We even had dedicated white glove techs. Basically the people with good personalities. Lol
posixUncompliant@reddit
You don't work with the right (or wrong, I guess) kind of users.
Also, you really don't want the C-Suite thinking that IT is passive.
Pyrostasis@reddit
Yes in a perfect world with well documented processes, functional teams, and an IT department that isnt also expect to semi train users on the basics to do their job.
Unfortunately for those of us in smaller environments this is not always the case.
maximumtesticle@reddit
Fucking thank you. Can't stand these replies where they're like, "DUH DO IT THIS WAY!" Yeah, we don't all have unlimited budgets and buy in from the brass.
FlickKnocker@reddit
How do you know if/where the process is broken without interacting with the users? Logs don’t tell you everything.
fausto_@reddit
This is the way.
ConsoleChari@reddit
I am actually doing that right now. New PM and I am just checking everything is working fine. solo IT we have about 160 people.
ChaoticCryptographer@reddit
Never. That’s their account and bets security practices mean they’re the only one who uses it
JustinHoMi@reddit
Literally never?
i8noodles@reddit
never. after a build i would log in as myself to see if it is working. if it is working the odds are pretty good the user will also work.
when laptops are handed out, i have them log in and then do anything they need. no matter the situation, i will never log in as a user without the user being present
Polar_Ted@reddit
Around never. I don't want to know their password. Ever. Best solution is to implement MFA and get self service password reset configured.
BitteringAgent@reddit
Only new employees. When our helpdesk sets up a workstation for a new employee, they login as that user to setup the profile a bit. Basic stuff like pinning outlook to the taskbar and logging into it for the first time. Then when the new user starts, the helpdesk person will do IT Orientation. At this time they will mark the user object to require a password change at next login. Helpdesk will put in the password they know and then have the new employee set their password on that login. Once that happens it is against policy to share accounts with anyone.
strifejester@reddit
Same here, last step before we ship out the pc is change password and set to change at next login. If I catch a tech asking a user password I lose it.
Nonstop_norm@reddit
What do you do for Microsoft gremlins where say fucking outlook will not login for no god damn good reason you can find. (Sorry. It gave me hell today) and you are just throwing shit at the wall and rebooting constantly?
I work in a small company and often times people literally cannot spare the hour troubleshooting time I may need to figure it out so we end up doing it while they are at lunch.
We just reset their password and prompt them to reset when they get the machine back. Seems relatively harmless to me. Idk what else I would do. We don’t have the budget for bomgar and our remote agent doesn’t allow for auto login on next reboot. So we are basically stuck doing it that way.
When money is tight. Sometimes you gotta do what you gotta do.
Lylieth@reddit
Why not simply leverage GPOs + Powershell for stuff like this?
BitteringAgent@reddit
You can have a GPO or Intune Policy push a powershell script to open Outlook for the first time on a profile? Is that a computer or user policy?
Lylieth@reddit
The comment mentioned, pinning outlook to the taskbar, not opening it.
But, ANY program can be configured to auto launch for an EU via GPO pretty easily; I'd assume there is possibly an equivalent in InTune. Powershell is just used to set the local GPOs via registry edits; if needed. Triggered as a sign on script ran under said user privileges, so it only impacts their profile.
BitteringAgent@reddit
If I worked for a company with thousands of employees, I could see this being worth the squeeze. But for a small company where 80% of the employees work in office. It isn't worth the squeeze. It takes helpdesk 5 minutes at the end of the computer setup to do these tasks for 1-2 new hires per month.
I prefer a new user onsite to be able to login for the first time and everything they need to just be there. I don't want the tech sitting with the user for extra time for first login scripts to run on the computer when that work could have been done before the new employee logs in for the first time.
nascentt@reddit
I don't understand this thinking
It takes 10 mins or less to setup once. It'd take ten minutes just to login to a host as a user to pin taskbar shortcuts once.
CanadianIT@reddit
It does not take 10 minutes or less to setup once as a group policy in those environments XD
Let’s do the math.
Setup a new group policy: okay, you touch your GPOs once every 6 months, so first you need to start by relearning your group policy assignment, scoping, and editing basics which takes 1-3 hours.
Now you can actually start making this new GPO. You start. Windows 11 broke the most popular windows 10 guides, so you waste 3 hours chasing ghosts.
You found the right guide! You follow it! It takes… 45 minutes to implement and test enough times to be confident it works in several different scenarios and failure points.
Great! You’ve spent 5-7 hours implementing a “basic gpo anyone can do in 15 minutes” to save…. 10 new users a year? 10 minutes? Congratulations, your automation will pay itself off in… a minimum of 3 years.
Oops, the outlook app is deprecated/windows 12 launched/windows 11 changed pinning things again/you moved from on prem AD to EntraID and all of your theoretical time savings went out the window and you shoulda just done it by hand.
binaryhextechdude@reddit
1 or 2 new hires a month would be nice. We had 120 new staff rock up on Jan 6th to start training.
BitteringAgent@reddit
Yeah, if that was the case, I'd be automating this task for sure.
sham_hatwitch@reddit
I would suggest you automate anyway, it makes your infrastructure and policy/procedures scalable which is a nice sounding word to C suits or owners, and also builds your own skill set and shows you have an understanding of best practices. As you go up in org size that is always some thing they are going to be looking at.
Lylieth@reddit
What is or isn't worth the squeeze should 100% depend on how easily said things are to implement. I'm not talking about standing up AD and GPOs, I'm talking about using them if they're already there. IF you're not leveraging AD\GPOs, even with only 15-30 EUs, I'd argue you're doing it wrong.
The first time logon on our systems only takes... 90seconds. Why make assumptions they'd be sitting there waiting "extra" time as if it were 30-60min?
Personally, I just disagree with doing everything manually each and every time. Just a waste of time.
Additional-Coffee-86@reddit
As a small company. Keeping automation up to date is often more headache than simply manually doing things. If you’re onboarding 10 people a year. Having to research and update new scripting languages every 6 months is not saving time.
Capable_Papaya8234@reddit
Don't remake the wheel every 6 months. Powershell you set up to do these things 10 years ago would still work today with little or no changes. Manual may feel "easier" to you, but every time someone touches something manually is a chance they make a mistake.
Most scripts and gpo won't need a lot of research or changes for a while. Windows 10/11 messed that up with the start menu and app pinning, but mostly it doesn't change a lot and will work once in place.
Applejuice_Drunk@reddit
You're still asking a company who likely doesn't have someone experienced in powershell to be doing a lot of what you suggest. You'd be surprised at how much manual stuff is done in small companies because IT is a very low budget department.
KnowledgeTransfer23@reddit
That's less of an issue if your company allows any access to an LLM at all. Getting Powershell scripts to do things like this doesn't take very long - ask a question, test their response, tell it what it did wrong, accept it's robotic attempt to appear apologetic, test it's new response, usually it works how you want it to.
Additional-Coffee-86@reddit
Until powershell changes a command. Or a key application doesn’t integrate. Or a key application changes their api. Or chrome adds a setting. Or windows changes a registry key…etc.
Breezel123@reddit
I tried to figure out a way to pin apps to the task bar and just gave up. Not worth the hassle for the amount of users I onboard.
way__north@reddit
In a very small org, maybe not so much time wasted doing things manually - but having as much settings etc as possible being consistent is a huge time saver , e.g when troubleshooting
BitteringAgent@reddit
I agree with most everything should be automated if it can be. For this organization, this automation is not worth the squeeze.
fourpuns@reddit
Oof this would be hard. You’d need to have it run at first login, launch outlook, find and click the buttons for outlook opening and do it all in hidden windows.
Now why a user can’t just click through outlooks first launch? No idea but that’s a better solution to me.
Lylieth@reddit
Huh? There are many ways to do this that don't include all that nonsense.
fourpuns@reddit
TIL
derefr@reddit
To be clear, I think they're talking about wanting the side-effects of already having launched the program once, before the user ever logs in themselves. They don't want the program to auto-launch on the first "attended" login of the user.
patmorgan235@reddit
Just set up zeroconf
https://www.alitajran.com/automate-outlook-configuration/
BatemansChainsaw@reddit
This is what we did at an old company of mine. We self-hosted exchange and it went exceptionally well.
itsam@reddit
powershell in a run once reg key, it’s super easy
PowerShellGenius@reddit
Because they deliberately increase the complexity of doing these things. There is no simple GPO for "don't pin Edge to the taskbar" or "pin this list of apps to the taskbar" with a GUI editor. They make it possible so enterprises could do it, but they make you edit XML and distribute the file or put it in an image.
The idea is that they can claim in court it is possible - and big customers who would raise a fuss can have their very competent sysadmins do it easily - but it's not easy for a small business, whose IT is primarily new grads or people who couldn't make it in companies that can pay more, to de-bloat Windows of unwanted other Microsoft products and prevent steering users towards Edge.
sham_hatwitch@reddit
We just pin to the Start Menu and tell users that's all Microsoft provides support for an encourages. Should you want it done another way - you are free to do that on your own. Click start and all your apps are there.
Hollaic@reddit
A lot of this can be done with default domain/local profiles
Gloomy_Stage@reddit
There really shouldn’t be a need for this. We have a 100% fully automatic onboarding process. From HR system to AD including group allocation followed by a PDF user handbook with login details sent to department manager. Everything else is group policy and Intune.
SSO takes care of all other third party integrations.
The only time we ever need to intervene if there is a random one off role that may need specific permissions.
BitteringAgent@reddit
All depends on the company and what kind of culture they’re trying to build. This is a small ~200 employee company that the owner wants everything to have a personal touch. By having an in person IT Orientation, you’re putting a face to IT and making the new employee feel more comfortable coming to IT with questions.
JazzlikeSurround6612@reddit
Yep same procedure at my place.
anonymousITCoward@reddit
Pinning apps to he bar or start menu can be set at build with powershell/json
Sewef@reddit
Maybe you can find this useful to pin to taskbar: https://github.com/0x546F6D/pttb_-_Pin_To_TaskBar
Key-Trainer9381@reddit
No … just … no. Never login as a user. Trust your automation instead.
TheRealLambardi@reddit
We don’t even do that anymore(albeit a rare occasion) , Intune + autopilot has removed that need for the most part. Essentially users get a blank laptop, standard off the shelf. Login and the registration, MFA, security, software happens then.
That said we are a lean company and keep a handle on 3rd party apps.
qejfjfiemd@reddit
This is the way
Unable-Entrance3110@reddit
This is how we do it as well.
There are rare occasions where we will give the user an option of providing their password to us if they are comfortable with it in order to, for example, swap a computer out while they are out of the office.
We will then set the "change password" flag to force a rotation after we are done.
BitteringAgent@reddit
I wouldn't even do that. What if they use that password for one of their banking systems and it gets hacked? What if a bad email goes to the CEO from that account? IT could then be blamed for this. Would either of these scenarios happen, probably not. But I'm not going to risk it. It's just bad security practice to ever share a password. You're also setting the precedent with the employee that sharing credentials is OK.
Unable-Entrance3110@reddit
It's rare and we have a good relationship with our users. It's a small org of less than 150 people. We pride ourselves on providing an exceptional experience.
I would say we do this maybe one or two times a year, if that, and it's always presented to the user as the situation it is with an option to just wait or for us to change their password to something else.
We have also trained our users to never re-use the same password elsewhere as well as other fundamental security strategies.
I am not saying that this method is the best for every org, but I don't see any problem with it as a rare exception to the rule.
yummers511@reddit
Agreed. Outside of extremely rare or special circumstances, this is the only reason we would log in as a user.
Hacky_5ack@reddit
Yep
Cassie0peia@reddit
Same here. And once the employee logs in with a new password, we don’t change their password to log in as the user. If they need help with something, we remote in while they’re logged into the device.
Cpt_Koerc@reddit
Same for us with newly setup devices for new users. Otherwise never ever access a users account(no matter on their device or on a random laptop laying around client in your office) to verify whatever that might be needed for. Just do a remote session/ask for specific permission if absolutely necessary (for whatever reason I cannot fathom).
pjustmd@reddit
Never. We use tools that creates and configures the profile. Completely hands off.
Rubensteezy@reddit
Your boss sounds like he showers with a helmet on.
Unless it's a brand-new account, I don't know anyone's password.
JimmySide1013@reddit
Never ever. For all the stated reasons AND it gives users the idea that it’s ok to give someone their password.
ParoxysmAttack@reddit
All day, every day. I am only admin when a task that requires escalated privileges needs to be preformed. It’s irresponsible otherwise.
oni06@reddit
That wasn’t the question. In this context “user” means another person not in IT.
Op isn’t asking if we daily drive an admin account.
zer04ll@reddit
Never have never will without a legal document indemnifying me of all responsibly for that actions of said account and even then I will document that a password change was requested after actions taken and user notified. There is court precedence for this and a boss doesn’t get to tell you to commit a felony…
Instead offer a setup SOP, where you login as a user before they start and have 0 data to verify the account works as expected and then when the user starts they change their password.
Honestly though there is a reason why group policies exists and an on prem servers have a solid reason to exist. If your manager is asking for something other than that they do not need to be in their position and you need to point this out.
zxvasd@reddit
I won’t log in as the user, but I might su - if they’re having login issues and I want to test the fix.
squirrel278@reddit
I’m in a federally regulated environment…..NEVER!!!!
chefnee@reddit
As my mentor would say, “That’s no bueno!” You have more chances of fucking up if you fuck with their accounts. That’s what a test user is supposed to be for.
As the kids would ask, “Would you rather…?” Think about it. The users make revenue for the company. IT is an expense. We’re allowed to mess with things, just not with their thing.
I want you to CYA on this, and pretty much on everything. The best time to deal with users is never. They only remember you when shit is down or broken! If things are running, they can care less what IT does.
EchoPhi@reddit
This is horribly written and completely inaccurate for a modern day and age. IT is not an expense, any good IT department can actually make money. We're net positive thanks to programs we have set up. Also logging into a new PC or User account is not unheard of, it should not be common practice, it does happen. All these NEVER! are most likely not even system admins.
chefnee@reddit
Who do you think the business will let go first? Seen the news lately?
Correct I’m not a systems admin. not anymore.
EchoPhi@reddit
Absolutely not us? It'd grind to a halt. If more than 3 our of 15 go on vacation at once everyone starts to panic. I guess I'm just lucky?
Or maybe we just know what we're doing and don't let people label us as "sunken cost" or "useless" and we show our value rather than pretend we're glorified button pushers?
It's what you make it I guess.
chefnee@reddit
I understand. I was just wanted to know about these guys the business is quick to blame the tech side. We get a bad rep that’s all.
Vast-Noise-3448@reddit
Only interactive logon to user account. They have to be present and accept or it's backstage.
edhands@reddit
Rarely. Usually only if their a specific issue with their profile or unique to their login.
wanderoffroad@reddit
Never!
battmain@reddit
Multiple times per week. The off domain password change tool is finicky. Users are locked out if expired. We usually have to set a password for them after verification. Plus we have a test user account for certain instances. It's needed because user access is different than ours.
User: I AM NOT TYPING THE INCORRECT PASSWORD!
Me logging in as the user, reading reddit as it loads up...
TheGreatNico@reddit
Never. Thank you HIPAA
Jellovator@reddit
In the past decade I've done it exactly once
oldfinnn@reddit
I never log in as the user who is not a new account. both of the potential actions is not good. 1. Ask the user for their password. We should never ask this. 2. Changing the user password and logging in directly
banana99999999999@reddit
We usually let the users do that lol
melshaw04@reddit
I have 3 accounts, Only user level account has remote access capabilities. The other 2 only get used in RDO or Run As scenarios.
coffee_ape@reddit
I’ll log in as the user if I’m setting up their profile. If I’m troubleshooting something that is user profile specific, I’ll ask them to log in for me. 8/10 times they’ll leave their password for me even though I tell them never to do that.
If it’s not user profile specific, I’ll log in as a local admin or as my admin account.
schmeckendeugler@reddit
Problem Solved!
tarlane1@reddit
Only new users or in extremely unusual circumstances. For example I have a user who was having an odd calendar issue that took weeks of work with microsoft support to resolve. After a few days interrupting her whenever Microsoft called or emailed a new test I verified with her that I would be logging into her OWA directly so I could validate solutions. In that case I logged in using a single use TAP so there were still audit logs showing I created the TAP which could be linked to the connections.
FarJeweler9798@reddit
never ever, i let user log in to their own if someone needs to test the login
antiduh@reddit
I always log in as the user - to make sure there's an audit trail that points back to me in case the user's account does something seriously illegal.
persiusone@reddit
Thid makes zero sense. If you are logging in as everyone else, you are implicating yourself for anything anyone can do, because you have that level of access to begin with. Stop doing this.
antiduh@reddit
I've already had to go to trial 6 times. I guess I just have a thing for legal proceedings.
^(nobody is this dense, right?)
LowAd3406@reddit
This isn't r/ShittySysadmin
FarJeweler9798@reddit
Wait what? 🤣
Pr3acher@reddit
Where i work we don’t access as the user ever. We login as ourselves to update the computer and make sure it’s syncing in our system properly. Then we assign it to the user and pass it off to their manager/trainer who provides the new employee with the login info.
thisismyusername1178@reddit
I have a test account i use so i can add/remove ad groups etc to and from it to emulate a user almost exactly to observe processes, resolve issues, test policies, etc.
jocke92@reddit
Intune set the primary user during the first login of a user. You can't login with your own account at least. But that won't require you to login as the user.
In a big company it's worth automating all the setup that is standard
Lamel2g@reddit
Used to do it regularly when replacing a users PC back when I was doing desktop support. This was before MFW was implemented, I would tell the user beforehand what I was doing and we would come up with a temporary password to use in the meantime.
Reinazu@reddit
I don't log in as a user whenever we deploy new machines, as setting it up is usually one of my coworker's responsibilities. But when I set up their ftp server credentials, I'll usually log in with the random generated ones just to confirm it works. Same thing with VPN access.
identicalBadger@reddit
Never at all.
beardedhelpdeskman@reddit
Really depends what I am doing. Sometimes it makes things much easier and quicker as far as setting the pc up for them. Otherwise, I sit and watch them login and wait a moment for the pc to create their profile.
While working for a transformer manufacturing company I would log in as users often for whatever reason.
Where I currently am, healthcare, I never do it.
In some weird troubleshooting project I found it was best for me to log in as the user or go through their workflow to replicate or fix an issue. Sometimes we just need time away from the user to think and troubleshoot.
machacker89@reddit
NEVER. its a big NO NO in our organization and its a trust/confidential issue.
Ice-Cream-Poop@reddit
Only on provisioning of a device with a TAP. So it's a seemless experience when they log in for the first time.
After they have started at the company, no pretty much never and if it's required we ask that they consult with the user(might be overseas etc) and only once we have it in writing from the user would we do it.
In any other case we refer it to HR.
jmnugent@reddit
In a previous Job I had,. we did this for years,.. but only because back then we really didn't have a good Windows "base build" imaging system and a lot of the Apps we installed needed a lot of User Profile configuration (some of which could not be automated, at least not at that time).
But now with better automations and better imaging solutions,.. I basically never login as the User.
Heavy_Dirt_3453@reddit
Never.
p8nflint@reddit
no, never. please do not do this.
Lynch_67816653@reddit
I sometimes have to create accounts for some web system and send it to the user, who is often in a different time zone. Logging in as them confirms that I sent the right credentials and avoids redos. I instruct the user to change their password and confirm, but it rarely happens.
Jaybone512@reddit
As anyone other than myself? Never. Nope. No f'ing way. Had one today offer to write down their password for me - nope nope nope, just hang out for 30 seconds and type it in, $user.
L0kitheliar@reddit
We always use separate accounts for anything admin related. Regular user account used for emails, slack, tickets, and all the regular employee apps like MSO365, etc. Admin account has admin console access to all of the above without user access. Then you can use your own account from a pure user perspective
Liquidretro@reddit
Make sure of what exactly?
Dabnician@reddit
never, i use intune to setup my and users machines, i give them temporary access passwords to setup credentials needed for mfa and off they go.
the only time i login as them is when they get termed and i need to do something with the shared mailbox we converted them too
iammortalcombat@reddit
As a security person - fucking why?
LilMeatBigYeet@reddit
Lol never, there’s no need to login as a user in our environment.
Laptop is fully built and if we need to install or configure something on it, we’ll login as local admin using LAPS.
If the user is having an issue only in his account then i’ll shoulder surf or do a screen share via zoom to check it out.
Legalize-It-Ags@reddit
We never EVER log in as another user unless its our elevated accounts. Have you thought about moving from a on-prem/hybrid environment to a cloud managed one like Intune? Pretty sure you can have it setup to where the employee gets everything they need based on the groups they are in. Basically, all they need to do is login to the machine and autopilot (integrated into Intune) starts downloading and installing all the applications they need. It really simplifies the onboarding process and makes managing devices, applications, group policy, etc. much simpler.
evantom34@reddit
Never.
haroldslackenoffer@reddit
I used to work at an extremely security conscious company, at least at the engineering and product level. IT did their best but ultimately, especially with Windows their options were pretty limited to effectively prepare a new laptop or to troubleshoot and do work for an existing employee on their computer. Since often the issue is related to something in the employee's account or at least requires to act like the employee, IT would set a temporary password for the employee that the employee would change when the got the laptop or computer back. Unfortunately this usually meant setting it in AD. Ugh.
u71462@reddit
Never and no matter what platform. Sign-in into an employee's account no matter if it's in pre-provisioning or not. A few exceptions depending on local laws, for us an Employee's account and its Data are owned by the company. Use Audit and Admin tools in exception with written approval by the companies Legal and Management team to access e.g employees files or any other kind of data.
This also depends on what you have included into the work contract NDAs and Terms of Usage.
If a user asks for support, and you have to test something do it always with their approval on-site or remote have something written or recorded for proof. And then sign-in into the employee's account.
ZAFJB@reddit
Nope, never. Breaks auditability and accountability.
Why are you doing that? Other than the very first time logon for a new account, you should never know a user's password.
Educate your boss.
corruptboomerang@reddit (OP)
Nah, my goal is to do my time, and get a job somewhere better.
ZAFJB@reddit
...requires that you be better.
...is not being better. Learn to talk to management if you want to move ahead.
AGsec@reddit
It's tough at smaller companies. There's limited space to move. There's no other department or other managers or team leads to get on your side. It's you and the guy above you. I've been there, and it makes it extremely difficult to push back when one guy or gal holds all the power over you.
ZAFJB@reddit
I have found it much easier in small companies.
corruptboomerang@reddit (OP)
In my case, guy above me has been there about 20 years, actually he's one of the longest severing employees. And his old boss, left shortly after I stated.
I'm gently working on my new bosses boss, but it's quite delicate, especially when I get thrown under the bus for anything that goes wrong, and no credit for what I do about and beyond.
Truthfully, it's not worth the fight, odds are I'll just pack up and leave, to another job, and once I'm settled in a new job I might say something. Ultimately, I'm not paid to run the IT department, I'm paid to keep it running.
AGsec@reddit
I think i also had a record of working in shittier smaller companies. Guess it depends on your relationships too, and if you're working with a true ego maniac asshole or just someone who doesn't know their ass from their elbow. Do you still work in small companies? Now that I am more senior, I've contemplated moving to a smaller company. The red tape of large orgs is.... frustrating.
ZAFJB@reddit
Currently working at a high tech SME, about 200 people.
Relationships matter. I have known one of the owners for about 40 years, the other since company inception. They are competent, and employ highly competent people in management.
My boss is the CFO, but his technical knowledge and ability to understand new technologies puts many IT people to shame.
Downtown_Struggle_62@reddit
That's perfectly understandable- you work in the scope of your environment and management. Just be careful not to take insecure practices to new jobs with you.
I had to learn that lesson a few times myself.
Big-Industry4237@reddit
Yikes but if that’s documented then…
renderbender1@reddit
Never?
notherbielove@reddit
Not really ever! We would let the user log in as themselves (or go through VPN if they are off site as themselves) and it works great!
jess-sch@reddit
I'm a software dev but ever since the big Entra ID + Windows 11 + Intune + Autopilot migration at my workplace I'm pretty sure the answer is 'never'
Sewef@reddit
Maybe once every two or three months? When the profile has some problems, like today with that session taking 1 real hour to open.
Ullrotta@reddit
Never. Strictly forbidden. Norwegian municipality, 10k+ users.
anonymousITCoward@reddit
Never, the user calls in at first logon to verify the setup. Configurations and adjustments are made with the user present. I no longer want any part of having the ability to login with another users credentials...
ARobertNotABob@reddit
Every day, because principal account, but then also use various privileged accounts for performing tasks.
TommyV8008@reddit
I’mnot a sysadmin, but I will share a story that I think is relevant, and perhaps too familiar for some of you.
I was a consultant at a major corporation that all of you are very familiar with, and I was asked to go fix something on a top VP’s computer. I never saw him, but he had two executive assistants. One of them gave me his password and showed me his computer.
I fixed the problem and then reminded her to make sure and have him change his password right away. I certainly didn’t want to be responsible for any problems that might occur with who knows what this VP had access to.
Then ensued what seemed like a two minute discussion where I just couldn’t comprehend what the assistant was telling me. She said something like “oh no, don’t worry about it, thank you so much. “And I said oh no, you don’t understand, your IT department has policies ever people can’t share passwords, I’m sure they will make sure that he changes it. But she insisted, “oh no, it’s really no problem, don’t worry about it.” I tried to describe it again from a different angle, and she said something like “oh no it’s no problem. He just goes above them and makes them change it back to his standard password.“
I was dumbfounded, first time I had ever run into such a thing. Somebody so high up in the organization that they could put things in jeopardy to that degree. Surely many people at that organization knew that social engineering is one of the most effective methods for breaking into a system. Technically at that point I was in capable of logging in as this guy from other areas in their huge network. That Assistant should’ve asked me to show my drivers license at the very least… I could’ve been anybody.
I immediately reported this to the project manager of the consulting group for which I was working, and our account manager. I mean… There’s actually a liability situation there, right?
Anyway, I’m sure I’m preaching to the choir here.
corruptboomerang@reddit (OP)
Dude my boss, our 'head of IT' has the 'password never expires box ticked on his AD account, and that's the same account that's basically our SUPER USER! 😂🤣
We have a Google Doc for ALL our passwords.
Honestly, I'm just doing my time and moving on.
worklafluer@reddit
I also work for a small company. This is what I was hired into as well. Everyone's password are on an excel spreadsheet and I've been asked to log in as users. This is what their IT consultant setup for them and they refuse to hear otherwise. I've at least setup MFA for them.
TommyV8008@reddit
Yes, I’ve worked for barriers companies, small and large, quite a few small ones. Personally, I can understand a bit more with the small companies, it’s a heck of a feet to pull yourself up by your bootstraps. Still, in some ways it’s easier to handle in a small company, so I don’t personally think there’s a good enough excuse anywhere not to have good security policies in. Education is part of the problem. And for those with investors… I would think any VC would also be concerned and make this area a priority. But… Humans will be humans.
TommyV8008@reddit
Yeah, it amazes me that insurance companies and state and federal agencies in the US don’t have more to say about this area across the board.
It’s definitely addressed in some areas, though. Two clients that I can think of, neither of which are the one mentioned in my story, have very strict policies all the way up and down the chain. One was an insurance company subject to state regulations, and the other… well, they are a potential… target… so they had federal as well as state regulations to adhere to. I’ll just say that it was quite a feat to clear projects for deployment there.
uptimefordays@reddit
Never, it’s a violation of core security policies. If folks are using accounts other than their own, for any reason, you’ve undermined nonrepudiation.
Amnesiaphant@reddit
Not part of my job to do the task the user is supposed to do.
If your boss insists on triple checking then it would be interesting to find out why he's so paranoid about small shit like that.
corruptboomerang@reddit (OP)
"Looks unprofessional" meanwhile doesn't want a user creation script so we (I) can't make mistakes. He's that 'I've been here for 20 years' type.
Frisnfruitig@reddit
Manually creating every single user? Sounds like a nightmare.
corruptboomerang@reddit (OP)
I mean, I get paid by the hour... 😂🤣
Angelworks42@reddit
You know the problem with doing all that by hand is I guarantee there are accounts on your domain that are active but shouldn't be because of that one time hr didn't tell you that someone left - even in an 80 person org.
AudiACar@reddit
I FEEL THIS IN MY SOUL. I wish we could go deeper into automation but man - I'm just a one (two) man army.
Frisnfruitig@reddit
Just use a script and sit back, that idiot boss of yours won't notice
BitteringAgent@reddit
Wait a second. He doesn't want a script because he thinks less mistakes will happen if you manually do something!? I built a script for the complete opposite to happen. I made it so stupid simple that the only text you input is the persons first and last name. After that you're only hitting y/n or selecting from options using 1....9 or whatever.
way__north@reddit
my experience is that scripting beats manual work 99.99% of the times when it comes to accuracy and consistency
corruptboomerang@reddit (OP)
Yeah, I've been slowly putting one together to do the same on the down low. Only mine will also pull from as a CSV, because we sometimes need to create 15-20 new users at a time.
I already made one to install all the programs and add the device to the AD etc.
BitteringAgent@reddit
Ours matches the name with a sharepoint list that stores the data of the new hire from a form HR submits to kickoff a new employee on-boarding ticket. Same thing goes for off-boarding.
AGsec@reddit
Yes, those kinds of people exist. I've met senior IT people who vehemently believe that scripting or automation is dangerous and that it leads to errors that no one catches. I've also met people who think open source = able to be hacked. They like their black boxes and drag and drop gui and they don't venture farther than a bat file to move files around.
Amnesiaphant@reddit
sounds more like insecurity and lack of knowledge/trust in your skills than "unprofessional"
How are you supposed to grow as a technician if he's not putting trust into your abilities, neither your skill to navigate the company out of failure...
TEverettReynolds@reddit
New employees get logged in by the HD to finish the SW and APP installs, then flag the PW to change on the next login and walk the user through logging in, changing the password, and everything else.
woolph42@reddit
Im always user .. using the tier system. so we have always the user expierience and have to elevate for admin rights.
skavenger0@reddit
Never
acomputertech2@reddit
very rarely. if a user has a more technical issue i will remove mfa temporarily and login as them to troubleshoot then reinstall mfa. Other than that i will login as the user for the initial profile setup and subscription software logins.
h00ty@reddit
I manage over 800 end-user devices worldwide with a team consisting of three helpdesk technicians, one system administrator (me), one cloud engineer, and an IT Operations Manager. Our team typically only logs in to set up devices for C-level executives. Passwords are fully automated for all other users, and only HR sees those. Once users receive their devices, they follow the provided directions. Their first point of contact for assistance is their manager, with the helpdesk serving as their secondary point of support. Using Intune and PDQ Connect, the time it takes for the user to log into their device to be fully operational is approximately one hour, depending on internet speed.
barneyrubble43@reddit
Never. Massive privacy breach.
BROMETH3U5@reddit
laughs in Activtrak
apathyzeal@reddit
> He then said, even if I change someone's password through AD, I should login as them 'to make sure'
Hard no. I'm all about verifying your own work but this creates auditing problems. If it's a new employee and they havent started yet I could maybe see an argument for it, but otherwise, have the user login while youre still there to see.
admlshake@reddit
I've done it a handful of times to do some troubleshooting. Like in 20 years I can think of 4 times I've had to do it. I immediately had them reset it afterwords.
rynoxmj@reddit
Ya, this is it. Never is the default answer, but there are some rare occasions, but the account is set to reset password at next logon. I've has users tell our support techs their password in the past for whatever reason, that also prompts an immediate rest. No one should ever know someone else's password, even IT. If I need to get into your account I have the tools to do that.
ravigehlot@reddit
Never
SuperCerealShoggoth@reddit
Never.
If we ever need to test something such as permissions, we create a test account and add to the same groups/OU.
DarkXTC@reddit
Depends on the context. For most stuff (logins to software I deployed, nextcloud accounts that are needed on short notice etc) I like to login once to verify that it works. I had the situation before that I did something wrong creating accounts and that's a bit embarrassing. After the initial creation? You better change your PW so I can't login to your account anymore
gwig9@reddit
Only with a new user or when needing to install something on their specific user profile.
HealthySurgeon@reddit
Never. It's best practice to never log in as the user.
If there's issues, then that user can call the helpdesk and get sorted out when they start, and if there are issues, they should be noted and fixed, so there aren't any more in the future.
All this is very possible without ever logging in as the user (as I'm sure you know based on your post)
Good security doesn't depend on person to person trust.
GullibleDetective@reddit
Every day, only elevate as admin as needed
UNKN@reddit
Part of our acceptable use is we aren't supposed to share/know another user's password, this goes for everyone. Even if it wasn't and someone told me to do it there's no way, I will take the new machine and hold the new user's hand to make sure everything was set up for them before I log into their account.
bushmaster2000@reddit
On cloud stuff, anytime i make a new account just to check my work so if they call me back to say they can't login, i know the problem is between the keyboard and the chair and not my work.
But domain wise, almost never. It's policy to not share passwords so we could only login if we changed their password first then have to explain why we did that. it's not worth all the hassle unless i'ts an emergency.
nascentt@reddit
The only time I or anyone I've worked with would login as a user, is before handing over the account for a new joiner.
And even then it's a rare situation.
pwnzorder@reddit
Never,
fourpuns@reddit
Rarely. For execs we used to but not we just do pre provisioning/autopilot. It’s not quite as white glove as what they used to get but still quite solid.
I’ll say our execs very obviously share their passwords with their exec assistant and we just ignore it despite being against policy.
Other than that very rarely when troubleshooting I have reset a users password and tried things as them. Maybe a dozen times over a decade for that purpose in an org probably about 20x yours in size.
catherder9000@reddit
Once the system is deployed, never. During setup, we use the user's email/pw to finalize the workstation (a few apps), then log out and set the account to "require pw change at next logon".
Dopeaz@reddit
When I set up a user, I really set them up. I assume everyone is a fucking idiot and get their emails configured properly with properly formatted and accurate signatures, the approved default document templates are loaded and paths to the document management are set already and default.
Third party software needs a few seconds of customization that I've yet to figure out how to automate. I go through the bullshit of logging in to products once to get rid of superfluous pop-ups or final setup.
All my user manuals are screenshots of the exact environment for that department.
Sounds tedious, but it really streamlines onboarding and nobody can claim they didn't have all the tools they needed to be a productive drone
Recalcitrant-wino@reddit
In my role? Never. I think HD does pretty often.
ordinatoous@reddit
WTF !!! NEVER !! I'm working in a hospital , so you guess . NEVER , NEVER, NEVER.
Wooden_Newspaper_386@reddit
I haven't had to do that in years, but when I did it was only for setting up new laptops or replacement laptops.
For new users and laptops we'd create the password, do everything we needed to and then set it to require a reset on the next login. If we had to replace the laptop we'd inform the user that we're creating a temporary password, give them the temp password, and then once setup was all done set the password to reset on the next login.
Looking back on it at no point did we ever need to ask for someone's password. If we needed to login as them for any reason we'd either have them login themselves or go the temp password route.
fdeyso@reddit
Have a testuser account, if that works it should work for the user as long as they’re connected.
reddit_username2021@reddit
It makes sense to log in as the user to create a profile before you send the laptop to remote employee. This way the user will be able to log in even without internet connection. It may save some frustration as connecting to VPN on Windows login screen may be hard for non-technical user.
lelio98@reddit
Never. If I am able to login as a user, then I can be blamed for anything that user does.
iamLisppy@reddit
Only new employees.
iggy6677@reddit
New employees, I'll do basic setup and then give them a temp password
Existing employees, unless they're next to me 8m not touching thier accounts
Employees who left, of management need important.xlsx ill go look, but normally get put to cold storage after 30 days
tk-093@reddit
Never. We use autopilot so when they log in the first time their machine is "built."
CaptainZhon@reddit
Everyday. Login as a user account and have to check out an admin account with PAM
ExpressDevelopment41@reddit
I used to for onboarding and refreshes. There are better ways to do it, but at that point in my career I only had read access to the SOP.
It's easy to say you should never do this, and you shouldn't when better solutions are available, but every business is different and best practice isn't one-size fits all.
Key-Trainer9381@reddit
Never. I don’t think it ever happened as a matter of fact. If I have their login credentials the chain of trust is broken.
Macman1223@reddit
Very rarely on shared Linux systems to test user-reported issues with login shells, etc. Never on an endpoint.
squeakstar@reddit
Never. Either make a dummy account with same permissions or use your own
ThatNutanixGuy@reddit
This^ every company I’ve worked at the helpdesk in particular always has name.test accounts setup to mimic users. Hell, even as systems engineers and network engineers we had them too for similar reasons. If it’s true my an issue with the user account itself and is determined to be that, remoting in or just walking over does the trick
Outrageous-Insect703@reddit
I do this as needed. Sometimes someone says their account is not working I'll do a screen share with them sharing my screen then asking for login and password - then I can verify if there is an issue. Users at times are click happy or quick to input incorrect passwords etc. Other apps have "login as" option which is usful for me to test something before lettting the user know it's resolved.
Rolex_throwaway@reddit
That’s terrible practice, you should never do that. You should have an account with the same privileges that you can use, but you shouldn’t be logging in as the user. Your main account shouldn’t be privileged, so logging in with it should work just fine. If your main account is privileged, you’ve got some big problems.
deefop@reddit
Pretty big org, and we no longer do anything like that. We're moving to passwordless, and things like temporary access passes can obviate the need to break the rules.
tankerkiller125real@reddit
Never, we use Autopilot for device setup, we don't even go through the OOBE, the user does that.
For day to day support I'll remote in with the user there. But I'll never actively login as them.
AlissonHarlan@reddit
I Did it' all the times when i configured user computers, WE had no AD . Years Later i still Remember some of Their passwords lol
maxsmoke105@reddit
As a sysadmin we never log in as a user. User creation is scripted by pulling data from the system of record. Based on fields such as title, department and location, the new account is added to security groups and email distribution lists. Logging is as an existing user violates our compliance standards.
We have a specific naming convention for test users. If we must log in with a specific set of security values we create a test user by adding that test user to the input variable for the user creation script. We complete testing with that account and then follow the process for account termination. The entire process is documented from start to finish.
ZaetaThe_@reddit
I have a user test account; the ideal setup is to always log in as a user and have to elevate to local admin and to almost NEVER login as a DA
Hotdog453@reddit
I assume this happens a ton at most orgs. For those who think it could 'never, ever happen at my org, where I am in InfoSec, and gaze upon you with disdain', I'd suggest you visit your support staff for a few days/weeks, in disguise, and see what they actually do. Policy or not, I'd wager *most* orgs do it.
ZAFJB@reddit
most BAD orgs do it.
Hotdog453@reddit
Well, my contention is even if 'support teams are told not to', people are going to do it. Policy is one thing. "Actually doing it" is another.
Downtown_Struggle_62@reddit
That's what they said, yeah.
SirLoremIpsum@reddit
Zero percent of the time.
Always with user there and always have them enter password.
Yes even new users.
PurpleAd3935@reddit
Never lol ,all my things are logged as admin .I am not doing their job ,if they have an issue they can cry to me .Just said yes to your manager and do whatever you want ,is just corporate things ,they have no clue .
6Saint6Cyber6@reddit
Never. and if they send me their password or tell it to me over the phone, I expire it immediately and make them change it. If someone else bring their device to the help desk and logs that user in, the password is expired and whoever brought the device in is instructed to take it back to the user and have them bring it in or call for an in office appointment. Passwords are like underwear, not for sharing ever.
SceneDifferent1041@reddit
I try where possible to make my workstation in line with user experiences. Can't 100% but same filtering and update policy. This way if it annoys me, I'll fix it.
h00ty@reddit
I don’t approach tasks the same way they do, as my work is quite different from theirs. My users’ experience is also significantly different. However, I do have a test machine and a test account that mirrors their setup.
PrlyGOTaPinchIN@reddit
Never once unless approved and checking licensing issues.
I’ve got a process setting PWs to 35 characters after creation and we use TAPs to set up windows Hello For Business AND YubiKey. I work at a large enterprise and don’t have an ‘end user’ that knows their password.
Turbulent-Pea-8826@reddit
I am not sure which one you mean.
As another user? Never.
As a user myself for day to day - yes all the time. I have to elevate my provides as admin
Millkstake@reddit
Only when setting up a user's new computer/new profile. Probably not best practice, but it makes setting up a profile so much easier as you can get all their applications installed and configured before placing the PC/laptop. I typically instantly forget their password anyway.
BigBobFro@reddit
Never ever never. Period.
If you ever do this for a user, and they get actioned on based on an it audit of activities,.. this can get them off AND potentially put you in the crosshairs.
Never ever never do this.
If your boss says to do it, get it in writing each time to cover your own butt.
way__north@reddit
actually had to do this around 20 minutes ago, new device, new user - but some old 'special' software.
This was an exception, I never do this normally, and logging in as existing users is an even bigger no-no.
Otherwise, GPO + other settings take care of the profile settings, outlook autoconfigures itself, and for the eventual missing 1% , the users manager can help him sort out
DariusWolfe@reddit
Me? Literally never.
Our service desk does it for new hires with assigned equipment to set things up, but they do it before they set the password to change on first login. They go through the login procedures with the new employee to ensure the password is changed unless they're remote; that's the only situation where the computer ever leaves the IT office with a password known by IT.
Moyer1666@reddit
Never
GhostDan@reddit
If you are using Azure/EntraID, you should be, if you absolutely need to impersonate a user, using Temporary Access Passes.
They are time limited, can be one time use, and don't require password resets. You should still let your active user know, since the next login while the tap is still active may ask for a Temporary Access Pass instead of a Password and get confusing.
wezelboy@reddit
Never. Full stop.
bobowork@reddit
Occasionally, but it's a Linux house so it's simpler to do su.
If it's not something that can be checked in terminal, the user is involved.
djscreeling@reddit
Never. They put in an email/ticket for a password change. I click reset. They go about their day. IF for some reason it doesn't work I walk over with a laptop, hit the button again and see which PEBKAC issue it is. If its not them then I duplicate the User object for analysis, I pull up the password change in AD and have them enter it in there. Then I go solve the issue as to why the password reset isn't working.
Soon I won't even have to click reset, but there are some legacy systems I am desperately trying to moonlight but the executives like to use them "because its always been done that way."
BuffaloRedshark@reddit
Never
Payne710@reddit
Never.
Flaky-Celebration-79@reddit
If I need to do diagnosis on a system as the logged in user, I call them and inform I'm changing the password to something we both know..as soon as I finish I check the box in AD "user must change password at next login"
Proper_Bad_1588@reddit
I am the admin for around 100 users and never log in with an actual user account. I have a test user with ordinary permissions I use occasionally to test out scenarios, but never an actual user account.
EchoPhi@reddit
Not horribly uncommon if they need special programs, or you all pin/bookmark certain items that are department dependant. I mean scripting, intune, etc yeah, but not everyone can afford/know how to do that. If we log in as a user we change their password to something crazy long from some random password generator, make changes, log out, and then set force pw reset at next log in. We'll input the crazy password and walk away/sign out of remote session.
Any_Particular_Day@reddit
Only when setting up a user. Create account, log in as them and run through the stuff they’ll need on day one. Then logout, reset password to a random string and turn on the change password on logon option and enable their MFA. Probably more white glove than many would do, but the first day is hectic enough without having to deal with account issues.
Automatic_Mulberry@reddit
Zero times in the last twenty years or so. It would be a policy violation for me to know their password.
rb3po@reddit
I’m not saying you should, but you can use TAP (temporary access password in Intune policies.
The only reason why this should be used is if an employee has an issue with their MFA, and needs to get in.
Otherwise, ya, do the configuration with powershell or XML
unscanable@reddit
I dont. We used to for new users before MFA was a thing but its just too much of a hassle now. Of course our process is pretty streamlined so we are fairly confident in the process. Anything weird can be handled after the user logs in
binaryhextechdude@reddit
I was almost going to say zero percent of the time but then I remembered there was an exception.
Go to Google maps and look up Eucla, Western Australia. It's a tiny town on the border between Western Australia and South Australia and my government department puts staff there to man the border checkpoint. They have a 0.5Mb internet link and we were rolling out not only new hardware but also a new managed image.
The team that was driving between sites was in Esperence, WA deploying laptops to staff there and they logged into the devices destined for Eucla as the users so they could download their emails, do updates etc etc because the link in Eucla just couldn't cope with the load.
Then they drove the 910km or 565 miles to drop off the new devices before heading back to Perth.
In that situation I think it's justifiable to log in as the user. Not in an office environment in a big city with a massive internet pipe into the building.
dav3n@reddit
Pre MFA a fair bit if i was setting up a service for a new user, these days it would only be for investigation purposes or if i had to setup a throwaway travel account to a high risk area
Affectionate-Grab510@reddit
Whenever I need to setup something
I_turned_it_off@reddit
when i first set them up on the system, prior to them actually starting.
After that, never.
If the user is having issues, i might sit at their shoulder while they walk me through it, though most ofen it's a remote view with our various management and assistance tools depending on how they are connecting, and where their issue is.
Big-Penalty-6897@reddit
Every time I configure a new or replacement machine. I know it works before the user sees it.
firedocter@reddit
The correct answer is never.
Convenience and greed can be a powerful motivator to disregard best practice.
I used to work helpdesk for a law firm. Every hour the lawyers would spend doing non-billable work was losing the company money. You better believe the company would rather waste my time than theirs on things like migrating chrome bookmarks. Best case I would have their paralegal do it, but even then, I was walking them through the process.
ol_lukey@reddit
make a test standard user for yourself and log in. if that works, it will work for the user in the same group
TehZiiM@reddit
Never
TKInstinct@reddit
At most at first login for software installations when they are being onboarded, otherwise never.
anus_pear@reddit
They way my company does is worse we ask the user to send us their password and I login for them. Not secure but no one wants to travel to office to set up their device and I’m not allowed to do it any other way
Hotshot55@reddit
Wow this is even worse.
Hotshot55@reddit
There is never a reason that you should be logging in as the user. If you need the user to login, the user can be there for it.
dlongwing@reddit
During initial device configuration before handing it to the employee. We "Make sure" that everything is in place and ready to go for them on their first day.
After that, we don't know their password any more (they reset it on Day 1). Admins shouldn't know user passwords. Full stop.
That's not just about security either, it's about CYA. If you know user passwords, you can get blamed (however improbable) for user actions. Good password hygiene is about chain-of-evidence for user behavior, not just about protecting systems from external bad actors.
therealRustyZA@reddit
Only when configuring a new user. Otherwise I always use my own one with admin rights.
freedoomed@reddit
In my current position, not at all. We have smart card login so we can't. At my last job only when setting up a new computer followed by a password reset and "prompt to change" checked. That job when I started had a spreadsheet with everyone's password, no MFA, no SSPR and an old domain controller that was only used for computer logins and DNS. everything else was on o365. I got them on a serverless azure/o365 setup. They were small enough that I didn't see the need for even a virtual server.
Sure_Research_6455@reddit
never, not once. i have zero knowledge of any user passwords. we are MOSTLY self hosted, and every password is salted / stored hashed.
NothingToAddHere123@reddit
It's not rocket science... go into AD and do a copy of that user and sign in.
AccommodatingSkylab@reddit
Never. It's against our security policy and will result in suspension if not termination of employment if done. If a client shares a user's password with us, its immediately changed and sign in blocked until the end user is contacted and logs back in.
We have clients fight back against it (I work at an MSP), and we work with them to find other ways to do what they want, such as scheduling onboarding calls with the new employee and ensuring that they can sign in with the password that they have.
freedomispopular08@reddit
At my current company, it's pretty standard to have users to leave their password on a post it for us so we can log in to troubleshoot issues. No, that's not how I'd be doing it if it was up to me.
Arklelinuke@reddit
Never, unless setting up a fully remote user that can't make it into a branch for their first day for some reason. Even then, it's usually easier to have them call in and I login to VPN before Windows logon so they can use the temp password upon login and set their new one.
bobs143@reddit
Only new users and that is to only finalize the set up of their laptop.
GhoastTypist@reddit
If we deploy systems that are meant for use off our main networks, we do sign into the devices before they leave the property.
That way no one gets home with their laptop and can't pull the user profile.
vabello@reddit
New users who are remote just connect to the VPN from the login screen which then logs into the domain and creates their profile from the default, applies any settings and scripts via Group Policy and/or Intune. Needed software is often just pushed via Intune. I’m working on getting all of our policies and environment working strictly with Intune and Entra Joined machines so that we can just use Autopilot and have machines sent from the manufacturer directly to the end user.
GhoastTypist@reddit
Thats were a lot of us are heading, but not all have made the jump to Intune yet. I am loving it, makes managing systems a lot easier.
But yeah the old school on-prem way depends on VPN setup, if the VPN is per user and they have to have an account on the computer to setup the VPN how do you go about them connecting to VPN so they can pull the user profile? If the VPN only gets added once the profile exists. That situation is a loop. Some environments are designed that way.
vabello@reddit
If it’s a domain joined machine, the machine is imaged with the VPN software. If it’s AAD joined, the user just logs in with their Entra ID and the VPN software will be pushed down after they login.
donnaber06@reddit
Anytime you reset a password, they should be required to change it. No one else but the user should know it's credentials. That is a big no-no in the infosec industry.
AwesomeXav@reddit
Only immediate usecase i can think off is if you need to cache the creds for a remote user that works through vpn on a domain pc
vabello@reddit
We just allow VPN from the login screen to take care of this.
InternalCultural447@reddit
What vpn do you use? I couldn't get windows VPN configuration to work in our environment, although I only looked at it for half a day bc it was an urgent replacement and ended up just asking them to call me when they got it so I could do the roundabout way of caching their domain credentials.
vabello@reddit
I’ve done this with both Cisco AnyConnect and Fortinet FortiClient. I know others support it as well.
frac6969@reddit
Never. We have some stuff that has to be set as the user, but we leave a note for the user to contact us when they login for the first time then we’ll set those up.
Valheru78@reddit
Never, we have a policy that at first login you have to change your password so as admins we cannot login to their profile.
FluxMango@reddit
If the user has already logged-on even once, I wouldn't. I would have them reset their password. Use self service if it is available.
corruptboomerang@reddit (OP)
I'd not be so bad if it's just the receptionist or something. But like directors and the accountants... 😂 🤣
s_schadenfreude@reddit
When I worked in smaller shops, all too often. These days... never. Too much of a liability, and takes too much time when those types of things can be automated.
mcdade@reddit
WTF? Your boss is an idiot. There is no reason for you or anyone else to login as another user. If he wants management of devices deploy an MDM solution and push setup policies. End of discussion.
AGsec@reddit
It's tough at a small company, because they expect this kind of behavior. I'd definitely suggest that you try to approach this as a "cattle, not pet" mentality. Do plenty of validation testing to make sure your device deployment works as expected. If he still asks you to do it, well, you gotta do what you gotta do, but adopt that mentality because it will stifle you. Do it to placate him but treat more like a show at the end of your work to appease someone, not the final say.
stephenph@reddit
Why would you need to "test" the account? Possibly during a specific users custom account setup you might login as user to set some stuff up, but the password is immediately changed and the user will need to set a new password. Even in this case there are usually going to be ways to do it without the login.
Bulk / normal account setup is all done through policy and/or automation, no need to "test" an individual login or account. And especially for just a password reset.
corruptboomerang@reddit (OP)
He wants it, just as standard practice... 😂 🤣
Frankly, he's an idiot. I feel like he's kinda that last man standing, previous actual IT guy left, he gets promoted, has no idea but hires someone who effectively does all the real IT work.
He's very good at tacking credit and delegating EVERYTHING.
banannie70@reddit
Never. I am a big fan of testing things when required, but there is no need to test someone's password for them. Either they get logged on, or they don't, and you have to do another reset.
vabello@reddit
I don’t. If everything is designed right, the expectation and experience should be the same for every user. If we start logging in as other people, accountability is lost and fingers could be pointed at IT.
Expensive_Plant_9530@reddit
Make sure of what?
I only login as the user if there’s some specific need (eg: software that needs to be configured on the user level), and usually I’ll just do it after the user themselves has logged in.
corruptboomerang@reddit (OP)
Yeah... You know, to make sure it works, their password is what it's supposed to be... 😂 🤣
Who the fuck knows. I'm just the worker bee...
dragonmermaid4@reddit
Too often. At the moment we've been doing that when enrolling new laptops for existing users or laptops for new starters but I'm trying to change that. I tried using TAP but for some reason it didn't work when enrolling but it may have just been an issue on that one device so next time I set up a laptop I'll give it another go.
skipITjob@reddit
TAP is for EntraID only. If you're hybrid or AD only, it will not work.
dragonmermaid4@reddit
We are Entra only now. Was AD until we started migration at the start of 2024 and since then have enrolled all devices straight into Entra.
It was allowing me to enter in the TAP but it said it was blocked due to User Credential Policy, though when I tested it with another user just normally (not enrolling a device but just logging in to their account for another purpose) it worked fine.
I'll test it again soon when we get another starter as we will be having one soon so I'll be able to check if it was simply a temporary issue or not.
skipITjob@reddit
Less than 100 users.
Only when we're setting up a new device. We ask them to log in on the new device, and we set a generic PIN, then set up their apps, make sure everything is synced, once the devices are swapped, we ask them to reset the PIN.
The process is logged in the ticketing system.
anderson01832@reddit
When I setup a machine for a new user I log in as the user to make sure everything is working properly to avoid any delays when the user comes in for the IT onboarding.
Oscillating_Horse@reddit
We used to do white globe provisioning where an on-site engineer would log on, install relevant software and run some post build scripts to configure settings, but we’ve since shifted to shipping devices directly to users so they do first logon and it’s up to them to install what they need. It’s a culture shift for the end users but it’s been working well for us and allows us to scale more quickly for large intakes of staff.
caffeine-junkie@reddit
If I need to test something, I use my regular account. There is zero need to login as someone else in most situations; only exception I can think of off hand is if you're using on prem ad and you're shipping them a laptop as they are remote.
vandon@reddit
Only a new account if we're trying to copy someone else with non-standard groups and permissions.
Once they've logged in once, only ever with their permission and them there or after clicking the ok button on remote help
TrippTrappTrinn@reddit
No, never. Have never done it, and it would be against strict company policy. If needed, the user logs in, and we then does what is needed.
jrhop@reddit
We do but only for new users. We create a generic random password with a Temporary Access Pass and login to confirm that all programs are working as expected. Get their email profile imported. Other programs that require a user password setup like Adobe products we make sure they are installed and the email invitation has been set. When the employee is onboarded we spend 15 to 30 minutes with them one on one. This allows us to speak briefly and build some rapport with them.
Usually it includes the basic things: - Introduction - Issue the laptop - Discuss what is installed - Have them login (Upon login forces user to change their password) - Setup of MFA - Help them get signed into apps like adobe - Basics about the phone system - Talk about the ways to get IT help when needed
Anything other than when it is new user setup prior to them starting is always a remote session.
eulynn34@reddit
When I first set up a computer for someone before I hand it over, I sign in as it to set some stuff up, but after that happens? No. User has to set a new password and that's that. If they need help, I join in on their session while they are using the computer with windows remote assistance or quick assist.
dreniarb@reddit
Not ideally but sometimes you have to do things as the user. An app needs tested or settings need set.
I'd prefer shadowing the user after they've already logged in but there are times when the user isn't available or doing it after hours is more convenient. In those cases - with the user's knowledge - i'll change their password so i can log in as them. I tell them what the password is and when i'm done i set their account to change the password at next login.
Some people might tell the user to just lock the computer when they leave and they might do this:
psexec -i -s taskmgrSome people might.
Your bosses thoughts on "making sure the password is right" is ridiculous. Freaking type the password in notepad, then copy and paste it into the password field. There - you know what it is and that it's right.
Helpjuice@reddit
You should never ever be logging in as the user. There is no reason for you to be doing this. If a user has an issue they can login as themselves and you can offer remote or in-person support. Not doing this is a massive critical violation of accountability.
chcItAdmin@reddit
Twenty-five years ago it was accepted, but over time our policies and procedures have been updated to the point that the mere suspicion that someone else knows your password requires it to be reset. Much less allowing a user to give it to someone else... even IT.
With that said... our training website allows us to "login as a user" via our admin accounts, but we can do that without the need to know their password and ofc, it's all logged. Our EHR is somewhat similar in that users that have been assigned delegate privileges are able to sign as their supervising provider, but again the audit trail is going to show the sig was on behalf of the provider.
zakabog@reddit
Pretty much daily, we're a Linux environment so whenever a user has an issue running a command we'll check permissions by switching to that user and trying the same thing. Or in the few instances when we setup a Windows laptop I'll usually login as the user to finish setting up their desktop and removing all the crap Microsoft automatically installs when you create a new user account.
RiceeeChrispies@reddit
Never.
You should have it all nailed down in your endpoint management solution, through policies deployed at pre-provision or user provision stage. You then go through it with them during handover. Easy to achieve, irrespective of company size.
The closest I get to anything around user auth is generating a Temporary Access Pass for users to web sign-in and enrol into WHFB for MFA.
8BFF4fpThY@reddit
NEVER - If you do, you're doing it wrong.
Chaise91@reddit
If the user is particularly sensitive, they may require some extra steps to guarantee they can get back to work.
conrat4567@reddit
I work in an education trust. The only account off limits without authorisation is leadership. We regularly log on as Students or Teaching Staff if they are having specific issues related to the account. This is communicated to them and we have never had an issue. More often than not, they sign in for us or are present, unless its a long winded fix. It is in our Acceptable Use Agreement that anything you do on the school devices can be monitored. If you are banking, buying clothes or gaming on a company device, you are not working. These are work devices not personal devices.
Its no different to being able to create links to one drive folders, add yourself as a delegate to an email or go rooting around user profiles on the server. Never assume any device given to you or managed by a company is exempt.
craigontour@reddit
Privacy laws!
JimmyMcTrade@reddit
It's an interesting question. I know people will go "never ever do that, you crazy?"
But at the same time, as an admin you have God Mode access to everything, including their emails and One Drive. That is to say, it ends up being a matter of trust.
We also work with tiny businesses and sometimes I have to do things while people are at lunch and I may log into their own machine as the user to fix an urgent matter like re-pinning a Quick Access link to a folder because the user doesn't know where the source folder is. (lul).
breid7718@reddit
Disagree. As admin, it's logged that admin did something in a user account. Or it should be if you're not turning it off. That makes it clear that the user themselves are not responsible for those actions.
Immortal_Elder@reddit
Your boss shouldn't be your boss. He obviously knows nothing about basic security and best practices
corruptboomerang@reddit (OP)
Agreed. But he's been there for 20 years (from what I can tell, riding whoever he hires under him for most of that).
Immortal_Elder@reddit
Common sense and experience tells me , you wouldn't need to "make sure" because user's are not shy to bitch when they can't log in.
JustHereForYourData@reddit
You guys don’t login to new accounts and check that they work once created?
corruptboomerang@reddit (OP)
New accounts are one thing. But the executives?!
RawleyGo@reddit
Login as? Nah. Force log off? Pretty often
New-Spell1929@reddit
workstation setups yes. else not, i dont understand 100% what your boss wants to get approved?
Ssakaa@reddit
When I started my current job, I sat down in a room with someone on the endpoint team, watched my laptop finish imaging, logged into it for my first login, then ran through the quick setup todo list with them there to support if anything gave me trouble, or if anything required admin to do, like setting the bitlocker TPM pin. It can be done. It involves the user in seeing "this is the software we use for these things" like getting Outlook to sync up the first time, validates their account propogated to everything on the list, makes sure they know how to log in et. al, and makes sure they (and only they) accept their issued devices.
Ihavenoideatall@reddit
There are times where login as user and log off, then recheck the profile at AD to force password change upon the user logins. If the user is not in office based, will make sure the profile is set up properly in the system before the user bring home the laptop.
eris-atuin@reddit
exactly once when setting up their account so their laptop can cache credentials etc. otherwise, never
BatouMediocre@reddit
Log in as myself ? Sure from time to time to test stuff.
As another user ? Never, not only it's not best practice, but it boders on illegal in EU.
Timely-Helicopter173@reddit
Never any more.
When I worked for a small (200ppl) organisation I might have them login while I watch or take control once they are logged in. I might have reset a user password once or twice to test something complicated for them outside normal hours with prior agreement with them, and then forced a reset so I don't continue to know it later.
As a Linux admin now I might become a user to check something on a server but that doesn't involve their password and usually it's a service account or something.
Kreppelklaus@reddit
Only for setting up the still blank machine. Especially to set up VPN and stuff.
After the user got his device, i never log in with his name without him standing asside (after pw reset). I like my job too much you know...
joerice1979@reddit
We look after lots of small businesses, so yes, many many times.