Things might be different in Windows but, IMO, something is wrong if you even need a user's password. I haven't been able to get this policy in place in my department but if I was the boss, I'd make it against the rules for even an IT staffer to ask for a user's password. I would say an IT person could ask a user for their password but if the user gave it, the IT staffer should say, "HA! That was a trick question! You weren't supposed to give it to me." IMO, if an IT person has to act as an end user, he should use root privileges to change the end-user's password temporarily. The end-user can change it back afterword. The reason is that the first thing the police ask after a murder is committed in a locked room is, "How many people have a key to this room?" If an account is used for a crime, and even using someone else's account without their permission is a crime, the first thing you are going to be asked is how many people have that password. I can honestly say I know nobody's password but my own. So I don't think an IT person should be digging around on someone's desk for their password. Unless they are doing it so they can tear up those postit notes, burn the pieces, and scatter the ashes. On 08/03/2016 08:22 AM, vic.pereira@ssc-spc.gc.ca wrote:
Many departments we support have several systems. These all require their own passwords that expire at different times. They also have different requirements for complexity.
For some reason the people who develop policies around these issues feel that it is more secure keeping everything isolated than it is to have the tools in place to synchronise all the login accounts and passwords.
The tech guys who are our boots on the ground keep saying that these behaviours have made their jobs a lot easier. When they need to troubleshoot and resolve issues often the person putting in the request is not at their workstation. Because of all the systems being stand alone, it is amazing how often it is possible to find user accounts and passwords on posted notes under people's keyboards.
Vic Pereira
Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046
Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046
-- -- John G. Heim; jheim@math.wisc.edu; sip://jheim@sip.linphone.org