We often have to tweak, test, or repair some software when the users are not there.
For example, today one of us set up a new mail account on a user's computer, but the user is on holiday. This then requires that we impersonate the user.
Working on a computer when users are not here is very nice for us and them. But this often requires that we ask them their Windows account password, or we change it before we use it, and the user then have to change it back when he comes back but this require him to understand what has happened.
Is there a (fast) way to save then restore Active Directory passwords?
1 – we save the password
2 – we change the password to TECHPASS123
3 – we work on the computer, and we test if everything is okay with the user's account
4 – we restore the original password
Best Answer
For a local computer, you can simply do it by copying the
c:\windows\system32\config\samfile to a temporary one. Once you finished, just copy back.But you can't do that while Windows is running. So you have to use a Linux CD or to boot from a Windows cd and open a command line.
For the first part, you can do it online with runas system account, or with shadow copy. So this is an easy step.
The last part must be done offline. If anyone find how to do it online, I'll be happy to know how.
Note you can have a problem if you check for password reuse.
The problem is: this don't work with active directory because you don't want to reboot your server in the middle of the day. And if you have several domain controlers, this don't work at all.
Some softwares can do it on the fly. I used one I forgot the name (it has "migration" in its name) and it is overkill for this use. I don't know if it exists anymore and if it works for 7 or 2008. Maybe a lighter software exists, but I don't know one.