Is there a way (when logged in as an administrator, or as a member of the administrators group) to masquerade as a non-privileged user? Especially in an AD environment.
e.g., in the Unix world I could do the following (as root):
# whoami
root
# su johnsmith
johnsmith> whoami
johnsmith
johnsmith> exit
# exit
I need to test/configure something on a user's account, and I don't want to have to know their password or have to reset it.
Edit:
runas
won't cut it. Ideally, my whole desktop would become the user's, etc. and not just in a cmd window.
Best Answer
I'm pretty certain there is no supported way to run as a different user without having that user's credentials. It's a non-repudiation measure. Someone can't say: "I didn't do it", because either they did it, or someone with their credentials did it. And for the second they'd have to give the other person the credentials.
Normally how I do what I need to do while logged in as another user is to use remote assistance to essentially RDP into the session, and have them grant me control. Then I do whatever while they're watching (presumably, anyway).
Anything else can usually be done with GPO/scripts.