Server 2003: How can the administrator login as another user?

Question

Possible Duplicate:
Is there an equivalent of SU for Windows

I am helping my friend to manage a small network at his company. One of two servers they have is a Server 2003 providing terminal services. Another is a Server 2008 SBS running the domain controller, Exchange etc. My part includes helping setting up new user accounts, and configure their terminal server environments. There are things users could do themselves if they were more knowledgeable, but with this process being done only once there is no reason to spend hours on training just for that - how to point a third party app to the right database, how to move the Documents folder to a mapped network drive etc. So I just do it all for them. And that's where the issue comes in - from time to time I have the need to login as them to configure things properly. The company is just several people and the standard practice so far has been - they tell me their password, and I do the rest.

I know this is a very insecure practice and I would like to change this. I am not very experienced with Windows servers and do not know how I, a network administrator, can login as another user. Linux servers have the su command that allows admins to login as other users. Is there anything like this in Windows? Am I looking at it from the wrong side?

In response to Robert and jscott: Yes. Sorry, I could not find that topic. Comments there, however, do not directly help me. A simple practical issue - how to setup user's Outlook signature, bearing in mind that users have different titles, some have direct phone numbers, some have fax etc. A more complicated practical issue - a third party database app needs configuring for every user. I have to login to the app as a database admin, point it to the right database, restart the app. Then login as the db admin again, create a new db user with proper access rights (varying from user to user), setup their db-to-outlook bridge (implemented per user for some reason). All this config is saved in the user's registry, so it is done for every new terminal server user. How do I do that with GPO and/or scripts? Thanks.

Dupe? http://serverfault.com/questions/16886/is-there-an-equivalent-of-su-for-windows — jscott, Sep 21 '10 at 20:13
If it's a terminal server, then it should do shadowing just fine - help the user interactively by shadowing his active session (or offering remote assistance) - that way they can supervise your doings as well ^^ — Oskar Duveborn, Sep 22 '10 at 00:25

score 3 · Answer 1 · answered Sep 21 '10 at 23:59

The answer is the same as the other question: there isn't an "su" option. Two possible workarounds:

Change the user's AD pswd, logon as them, make the changes, log off, set the account to require a pswd change at next logon, communicate the new/temp pswd to the end user.

If this is a new user setup process then you can use a generic "newpswd" that the onsite HR/Admin person can communicate to the new user. High level users can have a separate "execnewpswd". Periodically change the new pswds & always require user to change on next logon.

Use an Admin share (or unshared dir on the server) to store the user pswds so the local admin can enter them and you can access them but doesn't require them to be emailed/communicated outside the network.

Neither option is perfect.

The how to "change registry/setup db connections", "setup Outlook sigs", "restart app" with GPO/Scripts are different questions and pretty involved. Best to post a question specific to what's not working.

Some of those types of tasks can be automated with http://www.autoitscript.com/.

HTH.

Server 2003: How can the administrator login as another user?

1 Answers1