See When A User's Password Was Set?

[Redhatcc]

We have a customer that got her computer back from our store, she waits a week and comes back in...

"My husband said there is a password on the computer, and we did not set it you guys did"

Well, we never set a password on a machine when we reload it peroid, and if we did, why would we?

Anyways, i know how to remove the password but is there ANY way i can get some proof that we did not set the password? Such as a date or time the password was set? Or maybe the password itself is her husbands name with number behind it, something we did not know and could not have set up?

Any idea's on defending our case?

[beats]

Event Viewer > Security?

[MrJinje]

Event Viewer > Security?

Ayup, that should do it.

If they have logging off (i.e. No events in Security Log at all), might be a little harder to track down. Most home users would not know how to do that so probably non-issue.

EDIT: Only mentioned because when searched my XP VM log files, they were empty. Changed passwords, still no log entry. Don't even remember disabling it. But the VM runs really fast. No Pagefile either.

Edited November 10, 2009 by MrJinje

[cluberti]

This is why we used to always document EVERY step done during a repair or reload, no matter how mundane, and get the user to review it and sign off on it. They rarely understood what it was, but we would explain that it was like getting auto repairs or regular maintenance done - it was always better to document everything that was done (I don't mean the "clicked here, did that" sort of thing but the "changed password" or "reset account" sort of steps) and have it reviewed by someone else when completed (in house) and then have the customer sign-off when payment was tendered and the machine returned. That way when they come back in a week, I have a signed copy of the bill of work that says what was and WASN'T done - if a password reset or set wasn't in the list, and there's a password, I'm not only off the hook but I've got some questions they need to answer.

As to proof, if you have security auditing enabled (and I believe things like that are enabled by default since XPSP2) you should be able to go into the security event log and get some indication of WHEN it was done. You probably won't get the why as verbose audit logging is definitely not on by default, but assuming someone changed it post reload it should be logged as previous posters have mentioned.

[graysky]

Or maybe the password itself is her husbands name with number behind it, something we did not know and could not have set up?

Why not use ophcrack to decode the password. That way you can check to see if it's the husband's name, etc.

Edited November 14, 2009 by graysky

[PC_LOAD_LETTER]

Why not use ophcrack to decode the password. That way you can check to see if it's the husband's name, etc.

yeah this would be my choice too. the guys is obviously not a genius (he changed it and then forgot it) so the password cant be to complex. Id laugh my a** off if it was something like their wedding anniversary or his secretary's name so itd be worth the time spent decoding it.