These threads are always coming up on Spiceworks and I've contributed to a few myself, without getting any satisfactory replies. I sit on the opposite side of the fence here. I sometimes ask users for their passwords. Let this be the thread that you all convince me to change my ways!
Firstly, what's the risk? I've heard people say it weakens any case at an employment tribunal, because the defendant can argue that the IT guy could have used his login credentials to somehow frame him. As the single IT guy for my organisation, I don't buy this. If I wanted to frame someone, there are plenty of ways I could do it. I could just manipulate log files. So the defence goes from "he could have used my login credentials to frame me" to "he could have manipulated the log files to frame me". There is huge amounts of trust in me implied in my position. The situation changes once a company employs two IT people. It would be much harder to frame someone if there was another technical guy here overseeing my work. So I can see why practices change for larger organisations.
I've heard people say it is unnecessary because everything can be achieved via things like Powershell and the Office Customisation Tool. People say I'm not qualified to be an IT Admin if I can't use these tools. I'd partially agree with that - I'm not an IT Admin and neither do I want to me. I don't have the time or inclination to learn Powershell in detail. Also, Office Customisation Tool is only available with Volume Licences and we use OEM & Retail. Now I'll overcome these obstacles if the risk is high enough (I'm not completely lazy!), but again, what's the risk?
People say writing user passwords down is insecure. Well, I write them down in the same place I write the Domain Admin password, so that is irrelevant. If someone hacked in to my Keepass database, getting hold of user passwords is the least of our worries.
Now, let's say you convince me of the risks. This brings me to the big problem I have with resetting a user password. People say "just reset it and let them know what it is and force them to change it when they logon." OK, how do I let them know? Some people say e-mail it to them. How do they get their e-mail if their password has been reset? Some people say leave a note. Is that really more secure? A domain password left on a desk for everyone, including the cleaners, to see and use? Really, that's more secure? If I could just tell them, that would be fine. But I only use their password because they're not around. If they were around, I'd get them to logon for me, so this wouldn't be an issue.
Convince me Mangos. And I need a better arguments than just "it's crazy" or "it's poor practice".