Sign in with
Sign up | Sign in
Your question

Users logging off other users

Tags:
Last response: in Windows 2000/NT
Share
November 17, 2004 11:45:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I'm using a 2000 SP4 Server using XP SP2 Professional clients. When staff
logon, their desktop locks after 5 minutes of inactivity. A pupil however can
enter their username and password and force the staff user to logoff.

How can I enforce a policy whereby pupils cannot force a staff user to
logoff and that only an administrator or the user themselves can unlock the
workstation.

Staff and pupils are currently not part of the administrator group, but only
their own group and domain users.

Many thanks

More about : users logging users

Anonymous
November 18, 2004 12:37:34 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Exactly how are they causing the staff to logoff?? That would either require
local administrator credentials or they are simply rebooting the
omputers. --- Steve


"Mike" <Mike@discussions.microsoft.com> wrote in message
news:9A9DF1D7-0CDA-4A7E-80B9-1199262C5AA3@microsoft.com...
> I'm using a 2000 SP4 Server using XP SP2 Professional clients. When staff
> logon, their desktop locks after 5 minutes of inactivity. A pupil however
> can
> enter their username and password and force the staff user to logoff.
>
> How can I enforce a policy whereby pupils cannot force a staff user to
> logoff and that only an administrator or the user themselves can unlock
> the
> workstation.
>
> Staff and pupils are currently not part of the administrator group, but
> only
> their own group and domain users.
>
> Many thanks
November 18, 2004 6:12:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes they are setup as local admins through the MMC console. This is so their
desktop appears correctly. Is there no way I can deny pupils to logoff staff?
Related resources
Anonymous
November 18, 2004 8:59:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello Mike,

If your users are local admins they will be able to control the
workstations regardless of policy or other mitigations. You may need to
address the issue that causes thier desktops to not display properly if
they are not admins. We ca assist if you could provide more details.

What exactly does not display properly if they are not local admins?


This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
November 19, 2004 1:25:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

As long as they are local administrators there will be no technical way to
prevent them to logging off other users. The solution would be to look at
ways to not make them local administrators. Often applications can have
permissions modified for ntfs or the registry to allow users to run non
Windows 2000 compliant applications. Maybe power users would also work for
the user? If there seems to be no way then implement a user policy that
restricts what a user can do. You can implement auditing of account
management and logon events to see exactly what users are doing what if you
need to enforce written user policy. If you do implement written user policy
have each user sign a copy for their files and give them a copy for their
personal possession. --- Steve


"Mike" <Mike@discussions.microsoft.com> wrote in message
news:0A6DB247-0AF5-4C05-BD97-A63E449A460F@microsoft.com...
> Yes they are setup as local admins through the MMC console. This is so
> their
> desktop appears correctly. Is there no way I can deny pupils to logoff
> staff?
November 19, 2004 3:49:09 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you for both your replies! On a few workstations I moved the Student
group from local admins to local power users - and this did stop pupils
logging off locked staff workstations. However, the pupils desktop and start
menu is controlled via Folder Redirection in Active Directory to standardise
the appearance and applications available to pupils.

I have specified certain folders and shortcuts to appear and want pupils to
use the classic start menu. When I move the student group to the local power
users group, the start menu appears as the new XP one (just like Windows
Server 2003's start menu) and the incorrect icons are appearing on the
desktop.
By returning the student group back into local admins - the start menu and
desktop appear correctly. Many thanks!
Anonymous
November 19, 2004 9:29:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Mike.

It sounds like you have permissions problems with folder redirection. Check
the permissions to make sure that the user has proper permissions to the
items in question. I have not used folder direction a lot - particularly
with start menu. You might want to post in the win2000.setup_deployment
group explaining your problem to see if anyone can help you over there with
correct permissions or other alternatives. . --- Steve


"Mike" <Mike@discussions.microsoft.com> wrote in message
news:2C45F7CC-B907-4F3E-9D23-F15E2521CFC3@microsoft.com...
> Thank you for both your replies! On a few workstations I moved the Student
> group from local admins to local power users - and this did stop pupils
> logging off locked staff workstations. However, the pupils desktop and
> start
> menu is controlled via Folder Redirection in Active Directory to
> standardise
> the appearance and applications available to pupils.
>
> I have specified certain folders and shortcuts to appear and want pupils
> to
> use the classic start menu. When I move the student group to the local
> power
> users group, the start menu appears as the new XP one (just like Windows
> Server 2003's start menu) and the incorrect icons are appearing on the
> desktop.
> By returning the student group back into local admins - the start menu and
> desktop appear correctly. Many thanks!
!