How to Impersonate a Domain User Without Password Reset: A Secure Admin Approach


5 views

As domain administrators, we often face situations where we need to access a user's workstation with their credentials - whether it's to configure applications like Outlook, troubleshoot profile issues, or verify permissions. The standard approach of resetting passwords in Active Directory creates several problems:

  • Breaking cached credentials and stored credentials in applications
  • Forcing password changes that may confuse users
  • Requiring the user to re-authenticate everywhere

Here are three technical approaches that preserve the original password while allowing administrative access:

1. RunAs with Saved Credentials

Using the Windows runas command with the /savecred flag (for temporary use only):

runas /user:DOMAIN\username /savecred "cmd.exe"

This will prompt for credentials once and cache them for the current session. The /savecred option should be used cautiously as it stores credentials in Windows Credential Manager.

2. PowerShell Remoting with CredSSP

For remote scenarios, PowerShell Remoting with Credential Security Support Provider (CredSSP) allows delegation:

$cred = Get-Credential DOMAIN\username
Enter-PSSession -ComputerName workstation01 -Credential $cred -Authentication CredSSP

Remember to enable CredSSP on both client and server first:

Enable-WSManCredSSP -Role Client -DelegateComputer *
Enable-WSManCredSSP -Role Server

3. Temporary Local Admin with LAPS

If your environment uses Local Administrator Password Solution (LAPS):

# Get the current LAPS password
Get-AdmPwdPassword -ComputerName workstation01 | 
    Select-Object ComputerName,Password

Then use RDP or PSExec with the local admin account to access the machine and run processes as the target user:

psexec \\workstation01 -u localadmin -p Pa$$w0rd cmd /c "runas /user:domain\user notepad.exe"

While these methods solve the immediate problem, consider the security implications:

  • Audit all access using the Security event log (Event ID 4624)
  • Implement Just-In-Time administration through PAM solutions
  • Use constrained delegation for specific services rather than full impersonation

For automated solutions in helpdesk scenarios, you might create a PowerShell function like:

function Invoke-AsUser {
    param(
        [Parameter(Mandatory)]
        [string]$ComputerName,
        
        [Parameter(Mandatory)]
        [string]$UserName,
        
        [Parameter(Mandatory)]
        [string]$Command
    )
    
    $session = New-PSSession -ComputerName $ComputerName -Credential (Get-Credential)
    
    Invoke-Command -Session $session -ScriptBlock {
        param($u,$c)
        Start-Process -FilePath "cmd.exe" -ArgumentList "/c $c" -Credential $u
    } -ArgumentList $UserName,$Command
    
    Remove-PSSession $session
}

This provides a clean way to run commands as another user while maintaining an audit trail through PowerShell transcript logging.

As a domain admin, there are legitimate scenarios where you need to access a workstation with user context - configuring email clients, troubleshooting profile issues, or testing application behavior. Resetting passwords creates security risks and leaves audit trails. Here are cleaner alternatives:

Using Windows' built-in RunAs command with encrypted credential storage:

cmdkey /add:WORKSTATION_NAME /user:DOMAIN\username /pass
runas /savecred /user:DOMAIN\username "cmd.exe"

For remote scenarios where you need to test user experience:

Enable-WSManCredSSP -Role Client -DelegateComputer *
$cred = Get-Credential DOMAIN\username
Enter-PSSession -ComputerName WORKSTATION -Credential $cred -Authentication CredSSP

When you need GUI access, create temporary local admin rights:

# Create temporary local admin (expires in 15 mins)
$tempPass = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force
New-LocalUser "TempAdmin" -Password $tempPass -AccountExpires (Get-Date).AddMinutes(15)
Add-LocalGroupMember -Group "Administrators" -Member "TempAdmin"

Always document access in your ticketing system and implement these safeguards:

  • Set up JIT (Just-In-Time) access policies in PAM solutions
  • Enable detailed auditing with Get-WinEvent -LogName Security
  • Consider LAPS (Local Administrator Password Solution) for automated rotation

When users need Outlook setup but won't share credentials:

Start-Process "outlook.exe" -Credential (Get-Credential DOMAIN\username) -ArgumentList "/importprf .\user.prf"

Remember: These methods should only be used with proper authorization and auditing in place. The moment you complete troubleshooting, revoke all temporary access immediately.