As an IT Administrator/Manager, how do you securely keep track of a network PC’s passwords? If you don’t record passwords, how do you remotely manage computers, when needing to join a users desktop, or check their email, especially when passwords change on a regular basis?
6 Spice ups
seanwolsey
(Sean Wolsey)
2
We keep a record of all our passwords in a secured location at my part-time job. As an independent contractor, I keep an encrypted file on an encrypted drive, with a backup in a fire resistant safe. I don’t look at user’s email.
1 Spice up
I use KeePass. However, you should never have to store users’ passwords
3 Spice ups
For PCs, I simply use my AD admin account to log in and do things. Barring that, The Local Administrator password on all our workstations is the same. I do not want or need to know a user’s existing password – I either log in with different credentials, Have them log in for me when I’m there, or reset their password in AD.
For other systems, as much as possible we link access to our dedicated AD admin accounts – every person in IT has their own, separate from their regular account. We use Keepass to record any common/shared passwords that are needed apart from that.
4 Spice ups
Write them all on a post it note and stick it to the pc case.
6 Spice ups
alovantous
(Alovantous)
7
Currently at my company we use passportal. It allows us to keep track of all our customers password in a organized fashion from our office computers, cells phones, and customer computers if required. Seems secured and is not too expensive to use.
keith-ford
(Keith Ford)
8
I use KeePass. I login to most PCs and servers with my network account. I don’t know any of our users passwords at the bank. On a rare occasion when I need to monitor a mailbox for problem investigation I grant myself full access to the mailbox and open it in Outlook and it has to be documented in our helpdesk system.
1 Spice up
How do I managed passwords? Securely and without mentioning the method I task to do so on a public forum…
dataless
(Dataless)
11
I use PasswordSafe on all my devices.
Amen to that.
Everything is domain joined, so I use my own account to do things, if the user needs to logon we ask them to do so.
Sometimes if the user is already logged in I’ll use Runas /USER:Domainname\Administrator “blahblah.exe”, and provide the admin password, to save them having to logoff and disrupt their work.
We have over 100 passwords for various devices, online accounts and other services. This is held in an encrypted document, there’s also a printed copy in a fireproof, off-site safe that only IT staff have access to (in case our HQ burns down).
1 Spice up
molan
(molan)
13
LOL, this just made my day!
2 Spice ups
Thank you for all the replies.
My only remaining question is, how do you remotely log into a user’s current session, whether they are are their keyboard or not? Considering all users have multiple monitors, Remote Desktop Connection isn’t an option.
We use SCCM to remote on to user’s sessions, however it only works when someone is logged into the machine, and the machine isn’t locked, this the user has to be present. We don’t consider this a bad thing because that way the user is always aware if someone is shadowing them.
With Citrix we use the in-built shadow function, again the user is notified and has to consent to the prompt.
There’s an option in a user’s Remote Desktop AD properties to allow Remote control of the session, both with and without the user’s permission. You can also set view only and interaction rights. We’ve not used this yet but suspect we will as we migrate more off Citrix and on to RDS.
I’m not an IT admin, but as a project manager I still have tons of vendor logins, social media logins, and passwords to all sorts of random things - WiFi networks, event logins, reporting tools, media tools, tools tools tools.
We (obviously!) use @LastPass Enterprise organization-wide to address the password issue. I have my own LastPass account with my own password vault where I can store everything I need at work. My account license is actually managed by a company admin in the IT department, but the vault is mine to save things to.
My team and I all have a Shared Folder where we put any logins that we all need access to. If we ever need to update the password to one of those shared logins, the new password is conveniently updated and synced for everyone that’s got access to that folder. Company-wide, there are dozens of folders for different teams, or different projects.
We also have plenty of MSPs using LastPass Enterprise to manage client logins or user accounts. See the best answer here: http://community.spiceworks.com/topic/1155633-remote-support-password-management-complications?page=1#entry-4988505 for more thoughts and let me know if I can help with any other questions!
gabrielle.l
(Gabrielle.L)
17
I’m not sure I understand this statement. RDP works no matter the number of monitors on the target client. All my users have 2 or 3 monitors, and I can open a single RDP session to the workstations without issue. Could you perhaps be referring to something else, like Remote assistance?
We need to log into people’s computers, as the user, when they are locked and away. Would you have a master password list, as described below? If not, what low cost solution would you recommend?
I’m still looking for the appropriate password solution. According to many IT professionals, it’s not acceptable to have a master password list, even when the file’s encrypted on an encrypted drive, with minimal permissions.
Gabrielle.L, multi-monitor support is not available in Windows 7 Pro, only Ultimate or Enterprise.
http://www.techrepublic.com/blog/windows-and-office/use-multiple-monitors-with-windows-7s-remote-desktop-connection/
gabrielle.l
(Gabrielle.L)
19
I’m having real difficulties understanding what your goal is. Are you trying to connect remotely to users’ computers while they are using them, to provide assistance? Then you need a screen sharing tool (not Remote Desktop) and you do not need their passwords. Perhaps you can clarify what you mean with a specific example?
We want to connect remotely to users’ computers, logged in as them, while they are NOT using them. Requirement is to fix user specific issues, after hours, when computer is locked or logged off, but not shut down. This includes user specific email issues.
