How can an XP Pro administrator log into a user's desktop without the user??
December 8, 2007 6:56 AM   Subscribe

Is there a way/program to log into a Windows XP Pro user's desktop without their password (sort of like a master password?). Let me explain...

I have a Windows XP Pro network set up in my home. 3 Laptops, 2 Desktops, and 2 headless XP Pro boxes - one acting as a file server and the other a print server.

Sometimes, I need to add/remove something from a user's desktop or perform another administrative function of some sort or other. For the stuff that does not require the user to be logged in, that's fine, I can either log in as administrator, or use another administrative tool.

But sometimes, the user MUST be logged in (or it makes it 300x easier if they are logged in) to do whatever I need to do.

Is there any way to "use" the user's desktop using some sort of master password? Or maybe there's a program that lets you, as the administrator, emulate the user's desktop or one that will allow you to change any of their settings without needing them to log in?

(as an example, say I want to change the User's desktop wallpaper - I don't know of an easy way to do this without having them log in)

Your expertise, advice and help would be most appreciated!!!
posted by jspierre to Computers & Internet (16 answers total) 3 users marked this as a favorite
runas is what you want.
You can use the runas command start any program, MMC console, or Control Panel item. As long as you provide the appropriate user account and password information, the user account has the ability to log on to the computer, and the program, MMC console, or Control Panel item is available on the system and to the user account.
posted by majick at 7:22 AM on December 8, 2007

Here's an article on how to change your own wallpaper by manipulating the registry. To change someone else's, you'd use HKEY_USERS rather than HKEY_CURRENT_USER. Each use will have a branch in there named after their SID, something like this:


If you go to these branches, and do a search for the others' login names, you should be able to figure out which SID belongs to which user.

Of course mucking with the registry can be dangerous. Make sure you have backups.
posted by Hubajube at 7:24 AM on December 8, 2007

Hm, I take that back. I guess runas doesn't have administrative impersonation. That's a shame, and I apologize for answering in haste.
posted by majick at 7:27 AM on December 8, 2007

majick is correct. I do this all the time... With the user logged on, find the Internet Explorer icon inside the Start menu's All Programs. Right-click and RUN AS. authenticate as a local admin. then after it opens, in the address bar type "c:\" and ta-da! Note you can also type "control panel" into the address field to get to the...wait for it...wait for it...CONTROL PANEL!!
posted by BigJuiceMan at 7:53 AM on December 8, 2007

So.. (without knowing the Users password).... you want to be able to logon as the User, loading their profile path and Registry preferences so that any changes or updates you make are reflected in their profile... ?

Unless someone can educate me.. I'm pretty sure the (easy) answer to that is "No."

There are probably ways around it by skillful editing of the Registry and profile path file locations.. but my guess is that will be more work (and more complex/risky) than you want it to be.
posted by jmnugent at 7:54 AM on December 8, 2007

just noticed majick's second comment. he is mistaken in the second comment. follow my steps and ye shall find what ye seek. And if you want it from the horse's mouth...
posted by BigJuiceMan at 7:55 AM on December 8, 2007

For clarifications sake,.. I want to add that the "Run As" command might work in specific circumstances for specific tasks, but from your description (atleast to me) doesnt sound like the exactly solution you are looking for. (course, it wont hurt to play with it and see for yourself)
posted by jmnugent at 7:57 AM on December 8, 2007

The example you give isn't necessarily the best, since you can just change the users wallpaper by changing the value of Wallpaper in their individual HKEY_USERS\XXX\Control Panel\Desktop registry key. Most settings of that nature (customization, configuration, etc) can be done that easily while logged in as the administrator.

Sounds to me like jnugent's on to something don't want to have to log in as the user even if you can if you can avoid it, right?
posted by JaredSeth at 8:40 AM on December 8, 2007

One way you could probably do this is with Active Directory. You have an amazing amount of control over both users and machines in a domain, and you can specify settings with fine granularity. I don't think changes you make will take effect until the next time they log in, though... at that point, Active Directory will see that the settings need updating, and will change whatever it is you want changed.

The downside, of course, is that you have to run a Windows Server of some kind, and those are expensive.

Now that I think about it, you might also be able to do some of this with remote editing of local policies. A lot of Active Directory management is specifying autoatic policy changes that apply to groups of machines and/or people... but you can still manually connect to and edit individual machines if you choose.

The policy editor is included in XP, but it's hard to find. You have to click start/run, type in MMC and hit enter, and then add a snap-in for Group Policy Object Editor. It defaults to editing the local machine, but when you add it as a snap-on, you can point it at other machines too.

Noodle around with that, and see if it does what you need.
posted by Malor at 9:44 AM on December 8, 2007

Malor, you should just be able to do Start, Run, gpedit.msc to bring up the policy editor. And all the policy editor is doing is changing registry keys (open up an ADM policy file in a text editor and you can even figure out which keys control each setting).
posted by JaredSeth at 11:00 AM on December 8, 2007

Ah, never mind...forgot that the gpedit.msc doesn't give you the Connect option.
posted by JaredSeth at 11:02 AM on December 8, 2007

No you cant do this.

As a local admin you have access to all their settings anyway. If you want to change their wallpaper you find the reg settings or file or whatever and you change it.

Usually when you want to control settings for all users on a machine you use group policy. I imagine this is what you should be researching. Its silly to do these changes user-by-user. You should be implementing a policy for all users.
posted by damn dirty ape at 12:47 PM on December 8, 2007

Also its worth mentioning that XP home does not come with gpedit.msc. I believe you can download the snap-in and get it to work regardless.
posted by damn dirty ape at 1:06 PM on December 8, 2007

The OP said they were using Pro, ape.
posted by JaredSeth at 1:29 PM on December 8, 2007

So at the login screen you press ctrl+alt+delete twice to take you the old fashioned pop-up login screen, type in "Administrator" as the account name and nothing as the password (assuming it's never been changed) and do what you need to do? That's the root admin of course, not the "user defined as admin."
posted by TomMelee at 3:28 PM on December 8, 2007

Users' registry hives won't appear under HKEY_USERS unless the users concerned are logged in (in which case they appear under HKEY_USERS\{sid}) or you load them explicitly. To do the latter, click on HKEY_USERS, then select Load Hive from Regedit's File menu, then navigate to the user's home folder and click on NTUSER.DAT. At that point, you get to pick an arbitrary name for the hive you've just loaded (I generally use the user's logon name). If you load a user hive explicitly, the user concerned won't be able to log on until you unload it again. While it's loaded, you can edit any if its subkeys.

This is a useful thing to do immediately before running something like Spybot Search & Destroy from your admin account; if you load up the user hives for all users (except the admin one that's already logged on) before running a SS&D scan, SS&D will detect and remove malware settings from all users in one pass. Remember to unload them afterwards.

As far as I know, there's no way to make Windows give you full access to a user's desktop while logged on as a different user, unless you can supply the password of the user whose desktop you want access to. Of course, your super admin powers allow you to reset any other user's password to anything you like and then log in that way, but if they've got saved passwords in IE or Outlook Express, or if they're using any encrypted files, this is destructive.

Really, the best you can do without knowing passwords is fartarse about with other users' files and registry settings, using methods that range from dirty and dangerous (the hive-loading trick I explained above) to borderline crazy (Group Policy).

The best thing is just for you to know all the passwords, and log on using Fast User Switching or run things with Run As as necessary.
posted by flabdablet at 3:38 AM on December 9, 2007 [1 favorite]

« Older Help me reconcile my feelings about potentially...   |   Where can I find landlord/tenant laws online that... Newer »
This thread is closed to new comments.