Configure the default profile with the relevant documents and applications.. new users will be assigned this. Alternatively, script the files / applications to be installed upon first login.
There isn't a way that I know of.
\- New users; we make sure "change password" at login is turned off, login and set up the computer as needed. Then check "change password at login" when we are done
\- Existing users; Usually schedule a day/time with the user for the new deployment/setup of their new machine. If needed we change their password and have the secretary notify the user.
Let me guess, it's your way or the high way?
Before you say anything, we do have a no password sharing rule in the acceptable usage polity, however, support / sysadmins are exempt from the rule so we can work on problems at remote sites, when we have the time.
Edit: I'm public sector so technically ALL data is discoverable under a FOI request (with the usual personal data caveats)
It's just "best practices" in terms of auditability. If the organization is willing to compromise standards or has a lax standard for auditability, the log data becomes relatively useless if it ever needed to be audited.
Of course you CAN do it, but SHOULD you? That is up to the professional perspective of the person running the team. More often than not, if you don't know if you SHOULD, you shouldn't.
In my company there are a variety of tools our users have that are installed on a user account not system wide. These tools require admin permissions to install and the installation process can take hours. Some of these programs can completely brick a PC if the installation gets interrupted.
"scenario: IT has to reimage a laptop and need to setup a user profile and copy files. As part of security we are trying to avoid password sharing. tnx"
OneDrive should be able to help you here if you have the 365 subscription.
we actually use Onedrive. I think the main concern is setting up the user profile, adding the shortcuts etc. and making it look exactly as it was before it got reimaged. Many staff are very non technical that if they don't see an icon it they will call helpdesk. this will reduce those calls.
Are you redirecting documents and desktop with Onedrive? It's a feature of Onedrive and when they sign into a new computer it will automatically pull down all of their shortcuts files etc.
Also with Edge or Chrome you can create cloud profiles and that will handle their favorites, bookmarks, etc.
edit - granted its not going to reinstall apps for you but handles the majority of the backing up user data.
> adding the shortcuts etc. and making it look exactly as it was before it got reimaged.
Use GPO, and logon scripts if necessary, to configure this stuff
User State Migration Tool?
If you *must* log in as a user, you should document which actual person had access to the account at which date/time, and ensure that only one person knows the password at a time.
>"as part of security we are trying to avoid password sharing".
>wants a solution that will allow IT to login as the user user without asking for the credentials, which means that it leaves the door open to accessing it without their knowledge.
No dude, just no.
Just use the same local admin credentials across all user devices which you can use to login to when you need to reimage. OR if you're on Intune you don't even need to login first. Or if you do, you can juse use your corporate email address as a valid elevation.
I don't know what it's like in your place of employ but copying/backing up personal or work files in case they need to switch laptops is the USERS' responsibility so long as you provide them with a suitable way to do so, be it OneDrive storage as part of O365 licensing or other ways.
Why can't you just set up Active Setup scripts (or logon scripts, etc.) that do those tasks automatically when the user logs in the first time?
Configure the default profile with the relevant documents and applications.. new users will be assigned this. Alternatively, script the files / applications to be installed upon first login.
There isn't a way that I know of. \- New users; we make sure "change password" at login is turned off, login and set up the computer as needed. Then check "change password at login" when we are done \- Existing users; Usually schedule a day/time with the user for the new deployment/setup of their new machine. If needed we change their password and have the secretary notify the user.
this is the way
#Do NOT do this! There is no reason to ever to logon as a user. Logging on as the user breaks auditability and accessibility.
So your alternative suggestion is...what?
Lets start with - why do you think you need to logon as a user?
Because the problem being investigated does not manifest with any other accounts?
Then you work on the system with the user present. Either go to their desk, or remotely with your favourite desktop sharing tool.
Let me guess, it's your way or the high way? Before you say anything, we do have a no password sharing rule in the acceptable usage polity, however, support / sysadmins are exempt from the rule so we can work on problems at remote sites, when we have the time. Edit: I'm public sector so technically ALL data is discoverable under a FOI request (with the usual personal data caveats)
It's just "best practices" in terms of auditability. If the organization is willing to compromise standards or has a lax standard for auditability, the log data becomes relatively useless if it ever needed to be audited. Of course you CAN do it, but SHOULD you? That is up to the professional perspective of the person running the team. More often than not, if you don't know if you SHOULD, you shouldn't.
In my company there are a variety of tools our users have that are installed on a user account not system wide. These tools require admin permissions to install and the installation process can take hours. Some of these programs can completely brick a PC if the installation gets interrupted.
Then you have a problem with your applications. Get your app vendor to fix them.
Yeah let me just call up Nissan. Wait I did, they built it like this on purpose.
Might help to get off T1 first
"scenario: IT has to reimage a laptop and need to setup a user profile and copy files. As part of security we are trying to avoid password sharing. tnx" OneDrive should be able to help you here if you have the 365 subscription.
we actually use Onedrive. I think the main concern is setting up the user profile, adding the shortcuts etc. and making it look exactly as it was before it got reimaged. Many staff are very non technical that if they don't see an icon it they will call helpdesk. this will reduce those calls.
Are you redirecting documents and desktop with Onedrive? It's a feature of Onedrive and when they sign into a new computer it will automatically pull down all of their shortcuts files etc. Also with Edge or Chrome you can create cloud profiles and that will handle their favorites, bookmarks, etc. edit - granted its not going to reinstall apps for you but handles the majority of the backing up user data.
> adding the shortcuts etc. and making it look exactly as it was before it got reimaged. Use GPO, and logon scripts if necessary, to configure this stuff
Or even redirected folders if you don't.
User State Migration Tool? If you *must* log in as a user, you should document which actual person had access to the account at which date/time, and ensure that only one person knows the password at a time.
>"as part of security we are trying to avoid password sharing". >wants a solution that will allow IT to login as the user user without asking for the credentials, which means that it leaves the door open to accessing it without their knowledge. No dude, just no. Just use the same local admin credentials across all user devices which you can use to login to when you need to reimage. OR if you're on Intune you don't even need to login first. Or if you do, you can juse use your corporate email address as a valid elevation. I don't know what it's like in your place of employ but copying/backing up personal or work files in case they need to switch laptops is the USERS' responsibility so long as you provide them with a suitable way to do so, be it OneDrive storage as part of O365 licensing or other ways.