These threads are always coming up on Spiceworks and I've contributed to a few myself, without getting any satisfactory replies. I sit on the opposite side of the fence here. I sometimes ask users for their passwords. Let this be the thread that you all convince me to change my ways!

Firstly, what's the risk? I've heard people say it weakens any case at an employment tribunal, because the defendant can argue that the IT guy could have used his login credentials to somehow frame him. As the single IT guy for my organisation, I don't buy this. If I wanted to frame someone, there are plenty of ways I could do it. I could just manipulate log files. So the defence goes from "he could have used my login credentials to frame me" to "he could have manipulated the log files to frame me". There is huge amounts of trust in me implied in my position. The situation changes once a company employs two IT people. It would be much harder to frame someone if there was another technical guy here overseeing my work. So I can see why practices change for larger organisations.

I've heard people say it is unnecessary because everything can be achieved via things like Powershell and the Office Customisation Tool. People say I'm not qualified to be an IT Admin if I can't use these tools. I'd partially agree with that - I'm not an IT Admin and neither do I want to me. I don't have the time or inclination to learn Powershell in detail. Also, Office Customisation Tool is only available with Volume Licences and we use OEM & Retail. Now I'll overcome these obstacles if the risk is high enough (I'm not completely lazy!), but again, what's the risk?

People say writing user passwords down is insecure. Well, I write them down in the same place I write the Domain Admin password, so that is irrelevant. If someone hacked in to my Keepass database, getting hold of user passwords is the least of our worries.

Now, let's say you convince me of the risks. This brings me to the big problem I have with resetting a user password. People say "just reset it and let them know what it is and force them to change it when they logon." OK, how do I let them know? Some people say e-mail it to them. How do they get their e-mail if their password has been reset? Some people say leave a note. Is that really more secure? A domain password left on a desk for everyone, including the cleaners, to see and use? Really, that's more secure? If I could just tell them, that would be fine. But I only use their password because they're not around. If they were around, I'd get them to logon for me, so this wouldn't be an issue.

Convince me Mangos. And I need a better arguments than just "it's crazy" or "it's poor practice".

To date, I've only purchased O365 directly from Microsoft. But I now want to create a new account, and figured it would be better to go via our MSP for a bit of extra love and support and stuff. I'm just wondering what the key differences are.

What I know so far, and correct me if I'm wrong on anything here:

• We can't select a monthly subs, only annual. This isn't really a problem.
• Billing is from our MSP. This is a cool feature, as Microsoft will currently only bill us via credit card as we don't spend enough with them and there is a lot of overhead and admin involved in managing this.
• We can only order additional subscriptions via our MSP.

The last issue is a potential problem for me. Currently, if I want to add a new subscription at 2am I can do that on the O365 portal and the subscription is immediately available to allocate to a user. If I have to go via the MSP, I can see there being a delay - not least because they aren't open at 2am. This seems to work differently to Adobe, where I place new orders direct with Adobe but they then pass that on to my reseller who then invoices me. Which is pretty cool.

In terms of managing the accounts - creating users etc etc, is it identical? In other words, is the only difference related to billing? Does my MSP have access to my account to make changes on my behalf (if I so wish him to)?

Anything else I should be aware of before I send them a purchase order?

How does your break-glass system work? I'm not sure whether it's a good idea to publish my security policy on a public forum, but sod it. I may delete this post in a couple of days:

I have 3 Domain Admin accounts. One is for my use. One is used by our MSP (which they write down, I don't know where they write it down exactly), and one is for emergency use (eg I get run over by a bus). The emergency one is stored in Keepass. Two other people have access to the Keepass database, and the Keepass password is written down (yes, it is written down!) and stored in the safe.

I used to just store the Domain Admin password in the safe, but it occurred to me that we have lots of other accounts that would be a real pain to recover if I ever disappeared. So it seemed better to just give my emergency users access to my Keepass file - that way they have everything.

If you use your attorney (as in your example), how do they remember the password without writing it down?

The Domain Admin accounts are configured to e-mail me whenever they are used, so if they are ever used when I'm not expecting them to be, it immediately arouses my suspicion and I may go into lock-down mode.

I'd be interested in any improvements to this. I don't like writing anything down, but I just haven't figured out a way of working without it (yet) and nothing on this thread has so far demonstrated how I can get away without writing anything down.

I haven't really had any failures. Not that I'm proud of that as I think it reflects a weakness on my part in that I don't take enough risks. I'm too scared of failure to try. My grandkids will probably question why I've managed to live through not one, but two technology bubbles and still didn't make a fortune.

I've failed to take a few opportunities that I was presented with over the years that in hindsight I should have. But life looks easy with the benefit of hindsight, right?

Are you worried you'll crash or something?

I'm definitely a low energy kind of guy. I need at least 8 hours of sleep a day, and even with that, I always feel tired in the evenings.

After I've had my tea and done the washing up and a bit of housework, it's around 8pm and I never feel like doing anything more than read a book, watch the telly, or go down the pub.

I've got friends who renovate houses, do MBAs, start businesses, become Kung-Fu masters, all between the hours of 8pm and 1am. I'd love to be more productive.

Gimme some of your energy @ajstringham !

Yeah, it's not really a problem for me. Users don't have admin rights and I don't take any crap from anyone. I was just wondering how widespread the use of non-commercial licences in commercial environments is (I suspect it is very common).

Also, I don't find the software companies are always that clear on their licence terms.

It is such a common model. I guess you try and get IT pros to use the software at home, and then they like it so much they pay to use it at work.

@ajstringham said:

@Reid-Cooper said:

I think that most people are like this to some degree.

Glad to know I'm not completely crazy!

He said "to some degree". You listened to All About That Bass 200 times and ate mac and cheese four days in a row. You're definitely completely crazy.

Out of interest, what's the purpose of @mlnews exactly? ie why post links to other websites, many of which we read anyway?

I wouldn't say over. Adele, Eminem, Nora Jones, Taylor Swift, Linkin Park, Britney Spears, Coldplay. All massive and all relatively recent (this century, anyway).

Maybe you're just getting old, Scott?

@thanksajdotcom said:

Again, I like helping people. Most people view someone who constantly corrects someone as haughty or kind of a jackass. @scottalanmiller can back me up on this, but when people with my type of mind correct you, it's to benefit you.

If you look like a jackass, smell like a jackass, and sound like a jackass, guess what? You're probably a jackass. Saying "people with my type of mind" is just a cop-out, I don't know why you're name dropping Scott - I don't see him being a jackass.

@thanksajdotcom said:

I want you to understand something: the way you word things might be understood by the people you work with in India, but to the rest of the world, it just makes you look lazy or incompetent.

To you maybe. To me it makes him look like someone whose native language isn't English. Correct me if I'm wrong, but my understanding is that this is an international forum not an American one. I don't see any rules that say you have a certain level of English to post. I'm guessing you live and work somewhere where everyone speaks good English. Lucky you. I don't. His English is better than a lot of my colleagues. We just get on with it. I understand him just fine. Stop writing on behalf of "the rest of the world" - you don't represent me. I could just as easily say to you "the way you word things might be understood by the people in America, but to the rest of the world, it makes you look like a condescending jack-ass."

As someone who is hopeless at foreign languages, I'm impressed by anyone who can post in a foreign language on a forum. I know that if I posted on a French forum and there was someone like you dissing my French constantly I'd have quit ages ago, so fair play to @lakshmana for sticking with us.

PS I still love ya, AJ

@Minion-Queen said:

@thanksaj I have only seen 2 of those movies.

Me too. I guess we're all weirdos lacking social skills.

@scottalanmiller said:

NTG really isn't an MSP, we are an IT Outsourcer,

I have no idea what the difference in. From Wikipedia : "Managed services are the practice of outsourcing day-to-day management responsibilities and functions as a strategic method for improving operations and cutting expenses." That sounds like IT outsourcing to me.

Also, by "heaviest", I'm not sure whether you mean the most vegetarians, or that vegetarians in Dallas weigh more than elsewhere.

@Dashrender said:

I'm sure if I had kids, the kids surely would try to fix their own problems

Yeah, I sometimes get support calls at work from my 10 year old: "Dad, I can't get Minecraft to work". He's already better than half of my users in that he always tries turning it off and on again to see if that fixes it before bothering me with a call

Bacon cheeseburger pizza?

You Americans are all crazy!

@Dashrender said:

we try to teach them so they aren't just sitting around waiting for something to be fixed.

Sadly, I think a lot of people like sitting around waiting for something to be fixed. For them, it beats working.

@Dashrender said:

I'll agree with CB that it's likely that US Robotics did probably have some people who abused it, but it was such a low percentage that it's considered non existent.

What annoyed me was she said "zero". I get really annoyed by people treating the world as binary like that. "Employ me as an HR consultant and you will have ZERO problems". Like Scott saying "If you have any number of people taking the piss on this, you're hiring poorly." The world is not binary like that. HR in a 10,000 employee organisation is more complex. When consultants on LinkedIn or wherever makes claims like this, it just destroys their credibility in my eyes. I just think it makes them sound like snake oil salesmen.

And its unnecessary. What I'm really interested in is achieving net benefits from HR policies. For example, implementing homeworking may result in 40% of staff becoming less productive, and 60% becoming more productive. So even a massive number like that can still result in a net benefit in productivity, and make the policy worth implementing. There is no need to reduce the world to binary (ie Homeworking = Good, Officeworking - Bad) and wish people would stop doing it.

/rant

Breakdown of time:
Browsing Mangolassi: 30%
Coffee making: 10%
Discussing recent football match: 10%
Meaningless Management Meeting: 20%
IT Development: 5%
Recording Time on Time Tracking Software: 5%
General Daydreaming: 10%
Googling IT facts completely unrelated to job in order to win argument on Spiceworks: 5%
Walking to server room to carry out important task and then forgetting what task actually was: 5%
Returning to server room after you finally remembered what important task was: 5%

@Hubtech said:

as long as this isn't a mom and pop small country church....they have money, get paid, do the work, etc. etc. etc.

That's pretty much all we have in the UK. I find this thread fascinating as it the US seems to have a completely different culture around churches than Europe. I think there are a handful of evangelical American style churches that are gaining popularity here, but I've never seen one. Here, pretty much all churches are broke and rely on unpaid volunteers to survive. I guess because of that culture of complete amateurishness I'd never expect a volunteer to get yelled out - it just wouldn't happen.

@MattSpeller said:

Or they are embarrassed,

I'd say 90% of the time this is the reason. It has nothing to do with respect or thinking IT are stupid. No-one likes to admit to f[moderated]ing up.

Even me.
"Hi HP Support, our server is broken"
"Hi Carnival Boy, have you tried resetting the thingimy bit on the doo da widget device?"
"Absolutely. I mean duh...of course I have...who wouldn't...I mean....well....er.....actually, I have no idea what you are talking about. "