Our office uses a Windows Domain with Active Directory to manage user access to machines and network resources. The IT staff maintains a record of everyone user's password, which is used mainly for troubleshooting. E.g. sometimes problems appear only when logged in as a "regular" user, not an admin. Also, this lets IT admins configure software for local users, check settings, etc.
Is it considered bad practice to keep this list of passwords? In theory, only administrators have access to it. Is there some way to use admin credentials to log in as a local user, which would obviate the need to store the user's password?
(A little background: the office has about 30 users, with 2 IT admins. Some users have remote access via VPN.)
Best Answer
This is considered bad practice, both for password-security, as well as identity management. Having a clear-text password list available anywhere is something that just should not be done, or if it is done at all it needs to be kept offline and with rigid (and auditable) access controls in place. The identity management violation is that such password lists allow users with access to the password list to impersonate anyone on that list without that person's knowledge.
It has been Microsoft's policy that if such local-profile access is required, that technical staff requiring access either:
In both cases, the user is aware that their electronic identity is being impersonated by someone who isn't them. Yes, this can lead to "unneeded" password resets as work is done on the local profile to identify problems, but the password policy in place needs to accommodate such actions. Is this an inconvenience to both technical and non-technical staff? Yes it is.
Consider this though. Should one of your users get caught with something They Should Not Have on their workstation, the kind of thing that can lead to firing or criminal prosecution, having such a password list makes it impossible to prove that they and only they put such data there. This will become a very important point if it ever ends up in court (either wrongful-termination, or defending the criminal charge). It's for your own protection that passwords need to be confidential even from the system's administrators.