I'm still in favor of them. I still want my users to bring them in and augment what I can provide for them. I still want my users to be able to work at home easily and, well, always be working. Productivity is good.
However, I forgot to tell a new part-time tech that I generally don't want them joined to our domain. Usually, it's not an issue since most consumer laptops are running some version of XP or Vista that doesn't support domain join. Joining a domain has all sorts of advantages from a setup and security perspective and just makes things easier for us as administrators.
As we know, though, once a user starts using their domain account, things just look different. It's a new account profile after all and few users know their own local passwords, let alone that of a local administrator account. As a result, when my new tech joined a user to the domain yesterday, she immediately balked at both the "misplaced" items from her profile and the new fingerprint security setting that caused her laptop to begin asking for her fingerprints (this feature had been disabled in her profile).
Fortunately my tech is a really nice guy, since when he just took her off the domain by joining her to a fake workgroup, she was completely unable to recall any passwords (she had just been clicking on her user icon with the Windows Welcome Screen) and was locked out of her machine.
Which leads me to the real point of this article: for anyone who has never used it, there is an incredibly slick, free Linux boot disk that reads from the Windows registry, detects user accounts, and then allows password changes without affecting anything else on the computer. The utility is available here:
This may be old hat for some of you, but for anyone who's wiped out a hard drive just to get the system functional after losing a password, it's one heck of a useful little utility.