Users logging off other users

Archived from groups: microsoft.public.win2000.security (More info?)

I'm using a 2000 SP4 Server using XP SP2 Professional clients. When staff
logon, their desktop locks after 5 minutes of inactivity. A pupil however can
enter their username and password and force the staff user to logoff.

How can I enforce a policy whereby pupils cannot force a staff user to
logoff and that only an administrator or the user themselves can unlock the
workstation.

Staff and pupils are currently not part of the administrator group, but only
their own group and domain users.

Many thanks
6 answers Last reply
More about users logging users
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Exactly how are they causing the staff to logoff?? That would either require
    local administrator credentials or they are simply rebooting the
    omputers. --- Steve


    "Mike" <Mike@discussions.microsoft.com> wrote in message
    news:9A9DF1D7-0CDA-4A7E-80B9-1199262C5AA3@microsoft.com...
    > I'm using a 2000 SP4 Server using XP SP2 Professional clients. When staff
    > logon, their desktop locks after 5 minutes of inactivity. A pupil however
    > can
    > enter their username and password and force the staff user to logoff.
    >
    > How can I enforce a policy whereby pupils cannot force a staff user to
    > logoff and that only an administrator or the user themselves can unlock
    > the
    > workstation.
    >
    > Staff and pupils are currently not part of the administrator group, but
    > only
    > their own group and domain users.
    >
    > Many thanks
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes they are setup as local admins through the MMC console. This is so their
    desktop appears correctly. Is there no way I can deny pupils to logoff staff?
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello Mike,

    If your users are local admins they will be able to control the
    workstations regardless of policy or other mitigations. You may need to
    address the issue that causes thier desktops to not display properly if
    they are not admins. We ca assist if you could provide more details.

    What exactly does not display properly if they are not local admins?


    This posting is provided "AS IS" with no warranties, and confers no rights.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    As long as they are local administrators there will be no technical way to
    prevent them to logging off other users. The solution would be to look at
    ways to not make them local administrators. Often applications can have
    permissions modified for ntfs or the registry to allow users to run non
    Windows 2000 compliant applications. Maybe power users would also work for
    the user? If there seems to be no way then implement a user policy that
    restricts what a user can do. You can implement auditing of account
    management and logon events to see exactly what users are doing what if you
    need to enforce written user policy. If you do implement written user policy
    have each user sign a copy for their files and give them a copy for their
    personal possession. --- Steve


    "Mike" <Mike@discussions.microsoft.com> wrote in message
    news:0A6DB247-0AF5-4C05-BD97-A63E449A460F@microsoft.com...
    > Yes they are setup as local admins through the MMC console. This is so
    > their
    > desktop appears correctly. Is there no way I can deny pupils to logoff
    > staff?
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you for both your replies! On a few workstations I moved the Student
    group from local admins to local power users - and this did stop pupils
    logging off locked staff workstations. However, the pupils desktop and start
    menu is controlled via Folder Redirection in Active Directory to standardise
    the appearance and applications available to pupils.

    I have specified certain folders and shortcuts to appear and want pupils to
    use the classic start menu. When I move the student group to the local power
    users group, the start menu appears as the new XP one (just like Windows
    Server 2003's start menu) and the incorrect icons are appearing on the
    desktop.
    By returning the student group back into local admins - the start menu and
    desktop appear correctly. Many thanks!
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Mike.

    It sounds like you have permissions problems with folder redirection. Check
    the permissions to make sure that the user has proper permissions to the
    items in question. I have not used folder direction a lot - particularly
    with start menu. You might want to post in the win2000.setup_deployment
    group explaining your problem to see if anyone can help you over there with
    correct permissions or other alternatives. . --- Steve


    "Mike" <Mike@discussions.microsoft.com> wrote in message
    news:2C45F7CC-B907-4F3E-9D23-F15E2521CFC3@microsoft.com...
    > Thank you for both your replies! On a few workstations I moved the Student
    > group from local admins to local power users - and this did stop pupils
    > logging off locked staff workstations. However, the pupils desktop and
    > start
    > menu is controlled via Folder Redirection in Active Directory to
    > standardise
    > the appearance and applications available to pupils.
    >
    > I have specified certain folders and shortcuts to appear and want pupils
    > to
    > use the classic start menu. When I move the student group to the local
    > power
    > users group, the start menu appears as the new XP one (just like Windows
    > Server 2003's start menu) and the incorrect icons are appearing on the
    > desktop.
    > By returning the student group back into local admins - the start menu and
    > desktop appear correctly. Many thanks!
Ask a new question

Read More

Windows