This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 23%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi,
We have always been going with static password and never changed a user's password. I know this is one of the most wrong and dangerous practice but this is how the management wanted it to be. Now we got the go ahead to change the password every 2 months.
We also keep the passwords for all the users so that we can log in as the user when need be to troubleshoot.
My questions are as follows:
(1)If we allow the user to change the password, how can we log in as the user to trouble shoot?
(2)Is it legal to keep the users credentials ?
Just wanted to add that we are using Exchange
Thanks
Tazio
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi Tazio,
Agree with Andy, this question doesn't have much to do with Exchange.
For security reasons, please consider using multi-factor authentication as Andy suggested.
(1)If we allow the user to change the password, how can we log in as the user to trouble shoot?
Is there a detailed scenario?
If you would like to log in as the user, you may assign full access permission to another mailbox which is used for management.
Please refer to this link: Manage permissions for recipients
Hi @IT_RACK5500
I am writing here to confirm with you how thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
Not ever changing a user's password is not an issue. And changing the password every two months doesn't protect you.
Not using multi-factor authentication is a problem and should be where your focus should be:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
If you aren't using Azure, consider a hybrid solution with Azure or a third party solution
This isnt really an Exchange issue however.
There is absolutely no reason to keep any user credentials. Has nothing to do with legality, there is simply no reason to do this.
If you need to troubleshoot a users mailbox, an admin can give yourself permission to it:
Personally, I would never work for a company that required me to provide my password to them.
Thanks a lot for your answers
Tazio