Dilemma in resetting remote user passwords

egrizzly

I'm seeking a solution to this dilemma. Our remote users who work from home receive laptops with one "local" user account and one "local" admin account that the helpdesk logs on to for remote support.

The dilemma is that every now and then the remote users forget the password for the user account and cannot log back into the laptop. The helpdesk is now stuck because they cannot compromise corporate security by giving the user the username/password for the admin account. The user is also stuck because now they cannot work as they have no ability to reset the credentials.

This seems to be somewhat of an IT management nightmare. Is there a "best practice" method to resolve this and reset the users login remotely without them having to drive far distances to a corporate location, or ship the corporate laptop back. The laptops are DELL Latitudes.

egrizzly.

Plantwiz

Have them ship the laptop back into the main office, reset or install an RF log in device, retina scan, or some physical security that eliminates the need for a password.


Why would your IT department setup devices with local admin rights to machines they have to support? I get it, its already done, but if one needs to support something remotely, then the one who gets to decide security levels is the one calling the shots.

Worst case, the user needs you to remotely log in to admin 'right' something for them, but if this is their machine to use to do company work on, then I see no reason they need rights to have access at an admin level.

egrizzly

If they have local admin rights they can install literally any random software there that can spread malware through the companies networks. That's why the security is setup like that.

Plantwiz

Perhaps I misunderstood how your first post was written, because I did not understand why you would give them a local admin account with access, so you DO NOT grant them access with that admin account?

Then I would inconvenience them and have them send it in or do a cross-ship where you send them one from supply and restock there old one after a reset. I see company equipment as NOT given the end user much say in how it gets used as it is a tool. This also makes things quick to keep them running, i.e this case swap out the equipment with 'working' equipment and they continue to be productive.

I'm going to guess you do not have a supply of machines to swap out though??

J_86

If they are remote users, does your help desk had any kind of remote access into the laptops? Can't they just login with the local admin account and reset the local user account password for the end user?

Plantwiz

I thought that too, but then I likely errored by thinking that the enduser lost 'both' passwords and/or usernames.

Kinda of pointless to make ALL (devices) have a local admin account be 'ADMIN' with a password 'p@ssw0rd' or something because then any device that is intercepted could be compromised.

Probably why so many are going 'cloud' based and maintaining the logins at the host rather than by the device and making the device the responsibility of the end-user.

Nevertheless,


@egrizzly

How 'far' are these distances? (hour drive, three hour drive or full day drive?)

I'd seriously consider expedited shipping (cross-shipping) and making the end-user pay for the shipping after the first incident. Password resets are pretty common, but without having the end-user manage their own device...I'd make them ship it in and reissue. Completely understand the 'not want to give up local Admin password, but I would hope all your Admin passwords were be unique to the device regardless and then you could give the password, log in remotely with them, force a change password. If everything is high security, shipping in is best option (IMO).

OR,
depending on the business, consider the risk of the person installing something 'bad' part of your screening process and make them responsible for the device.

I know in several school districts, the Tech dept doesn't allow ANY unauthorized installs and will not do any local admin support functions with staff nearby, they handle those tasks off-hours.

Good luck!

Christian.

A quick and dirty way could be to setup a third local account, one restricted to even launch the calculator, but that allows them to connect the laptop to internet and launch a remote session with your helpdesk center if they have an emergency such as this one. That way they can remotely get in and change the password using their admin credentials without sharing those details. If you want something a little better, you can google tutorials to change the password of this guest account using GPOs. It doesn't seem really straightforward but can be done.