I have to administrate a Windows 7 computer for which I have an Admin account. The computer is in a Domain (if this is important). Now I need to configure an user account on this computer (also a domain account), so put shortcuts on the desktop etc. But I don't know the password for this account. I am not allowed to change the password on the domain server (SBS 2011), because the user needs to login remotely to his Exchange account with his password (which would not work anymore if I changed it). Asking the user for the password is no option, this would violate all my personal and the companies security guidelines.
So, how can I (with an Admin account) configure a user account on a Windows 7 computer without knowing the password for the user account?
In Linux I just be root
or do sudo
, but I don't know how to do similar tasks in Windows.
Answer
Has the user ever signed into this computer before?
If yes, then all you need to do is drop any files/shortcuts you want directly into the user's profile folder under C:\Users. If you need to change settings for the user, you can mount their registry hive in Regedit from your account by opening the NTUSER.DAT file in their profile. You'd need to figure out what keys correspond to what settings, but it's doable with a little work on your part.
If not, then the user does not have a cached profile on the computer for you to work with, and therefore you'll have to pull off some wizardry to make it happen. Here are a couple ways you could do it:
- Use some remote control program like TeamViewer, LogMeIn, GoToMyPC, or whatever -- anything that will allow the user to connect remotely to a login screen -- and have the user sign into this computer from wherever they are. You can then modify their profile right then and there and they still wouldn't have disclosed their password to you. This would be my preferred suggestion.
- If the computer in question is going to be assigned to them (i.e. they will be the only person using it), then you can modify the default user profile by dropping files into folders under C:\Users\Default. You can also make the aforementioned registry changes by mounting C:\Users\Default\NTUSER.DAT in Regedit. The drawback to this is that it will affect every user that signs into this computer for the first time (users who have previously signed in will not be affected).
- Make the user's domain account a roaming profile. If they sign into any computer in your organization after you make the change, Windows will sync a copy of their profile to the network. You can then modify the server copy of their profile and it will be pulled down to any machine they sign into. Once they've signed into this computer the first time, you can revert it back to a normal profile. This option has some downsides though. Actually this option is a terrible idea and you should only do it as a last resort :-)
There may be some others that I haven't thought of, but if they've never signed into this computer before then the bottom line is that you'll need to get creative.
No comments:
Post a Comment