Is there a way to have two different passwords for AD user objects?

[Cerulean]

The reason I ask is this: with our new policy, users are responsible for remembering and setting their own password. We technically cannot ask for their password (as it would defeat the purpose of the new implementations for increased security, personal liability, and auditing).

We have users who we can only work on their VDI when they leave work due to the nature of the particular issue or situation at hand. Problem is, we don't know their password (and don't want to) and often have situations where the last thing we want to do is reset their password. It would be convenient if we could login as a user without knowing their password while the user is at home and away from work.

For the typical user, we can go the route of resetting their password and informing them of what happened and why we did it.

For executives or higher level people, especially when they have had a frustrating day or under very high stress, it becomes the last thing we want to do (of resetting their password) and also want to avoid having them to type in their password every time we get a logon prompt or having them divulge their private and confidential password.

Any ideas?

 

[XOR != OR]

It's important to keep in mind that the password, itself, is not the sensitive part. It's the access it grants you.

AD doesn't have anything like this. Execs and other sensitive users will just have to get used to the idea that IT has to reset passwords to access their accounts for maintenance. Believe me, you aren't the first to come up against this particular problem, and I doubt your "high maintenance" users rival the worst some of us have seen. Yet most of them have gotten used to the idea, regardless.

If you want to sell this to management, point out that they will always know when IT has been working on their account.

 

[/usr/home]

We quite often ask for their password. They have it written on a sticky note in their top drawer anyways so it's no less secure if we know it. With all the passwords I have to remember, it's forgotten within the day.

 

[Mackintire]

There are plenty of packages for user self serve password unlock is out there. I think the entry price is around $600.

User locks themselves out....Cntr-Alt-Del and choose password recovery. The answer a question they previously set. The account is unlocked. Now they get 3 more chances to guess. Rinse and repeat as necessary.


IT Admins can always change the password to 123OpenMe and set the "Must change password on next login"

 

[DragonNOA1]

Maybe I missed it but why are you logging in as other users?

 

[f1y]

Maybe I missed it but why are you logging in as other users?

That's a good question. The only time I use a users login is when I remote I with the. For the. To duplicate an error. Everything else should be able to be pushed/pulled/scripted/command lined.

 

[Database]

Yeah, I'm not sure I understand why you need to log in as them at all? Maybe if you can explain that... we can give other recommendations.

 

[feffrey]

Our VDI setup is like this also. The VM will only allow the user it is assigned to to log into it with AD credentials. You can log in to it with another user account, however it will kick you off in a few seconds. Doesn't matter if you have admin credentials.
Due to how AD is setup, we can't reset anyone's password. If a user has a problem they have to put in a ticket, and arrange time for a tech to remote in while they are there.

 

[-Dragon-]

Isn't there an option for the user object to allow administrators to view/interact with that users VDI sessions? I know I've seen something like that but never really tried to do anything with it, might be under advanced properties.

 

[Cerulean]

Yeah, I'm not sure I understand why you need to log in as them at all? Maybe if you can explain that... we can give other recommendations.

We recently went to full blown VDI environments in the cloud (spread out across 4-5 DCs around the world), migrating one division at a time while keeping the old network infrastructure and computer systems online. With any migration, there will be problems that come up and issues that need to be nailed down. I work for a company with a handful of overseas/international divisions.

The weird thing we have noticed about viewing the console is that when a user is in operation, the console will only show a black screen. However, you can see the mouse cursor of the user, and you can move their mouse and type into the keyboard. We have tried GoToAssist, GoToMeeting, and TeamViewer -- all present the same problem (black screen, mouse cursor on screen). VNC works though, but we haven't gotten Track-It! setup for remote control yet (in the process of migrating that too, but we will have to create dedicated VDIs for everyone in IT, plus we will be migrating from an old severely underpowered IceWarp server to our new in-the-cloud Exchange 2013 server in 2 weeks), and it only works when the user is logged in (though I suppose if it all works, we could ask the user to not log off when they leave for the day so that way we can borrow their session, but we would still be limited whenever we would get a logon prompt).

It is ironic that VMware has vSphere/ESXi, View / VDI software, etc... but nothing for interacting and shadowing VDI sessions.