Tom's Hardware > Forum > Windows XP > Security Admin > Allow regular user to unlock screensaver locked computer

Allow regular user to unlock screensaver locked computer

Forum Windows XP : Security Admin - Allow regular user to unlock screensaver locked computer

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
MartyG   05-05-2008 at 05:26:39 PM

We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer.

Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation?

So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP.

Note: I don't want to let just anyone to unlock the computer - I want to be able to select only some users.

Any suggestions?

Add a reply
Sponsored Links
Register or log in to remove.
Murissokah   05-05-2008 at 07:00:14 PM
- 0 +

Is taking away the screensaver and setting auto-log-off an option?

Reply to Murissokah
4745454b   05-05-2008 at 07:48:33 PM
- 0 +

If your willing to allow them to unlock the computer, is there a reason why you can't bump these "select few" up to admin status?

------------------------------ The voice of REASON
Do NOT feed the TROLLS!
Always a DEMON!
 Reply to 4745454b
boonality   05-05-2008 at 08:09:02 PM
- 0 +

That's a tough one. The best method to deploy through GP might be to set workstations to log users off after say 30 minutes of inactivity.

4745454b, that is a very bad idea in most environments.

------------------------------ Exchange Engineer - Why is it that when DNS goes down everyone thinks it's my exchange server?

Oh ya, email is the heart of work.
 Reply to boonality
Kaldor   05-05-2008 at 08:22:08 PM
- 0 +

My AD stuff is a little fuzzy. But couldn't you build a user profile that would have rights to do this stuff, like a superuser account? Another possibility is to give say the supervisor a regular production login and a admin login. This is a viable option, because you can track exactly what that admin login is doing easily. We use this system at work on the helpdesk for level 1 and 2 support. I have a regular login, and an admin login. I do 90% of my work in regular production, but can remote in and do lots of other stuff using my admin account using a "run as admin" program if need be.

Reply to Kaldor
4745454b   05-05-2008 at 08:56:33 PM
- 0 +

Quote :

4745454b, that is a very bad idea in most environments.



No worse then what he wants already. If you trust them enough to give them the ability to unlock a computer, why not go all the way? Even if there was a way to do what the OP wants, harm could still come. Are these select few trusted or not?

------------------------------ The voice of REASON
Do NOT feed the TROLLS!
Always a DEMON!
 Reply to 4745454b
boonality   05-05-2008 at 09:58:14 PM
- 0 +

When someone has that ability, all it does is log off the previous user. It does not grant them any access.

Message quoted 1 times
------------------------------ Exchange Engineer - Why is it that when DNS goes down everyone thinks it's my exchange server?

Oh ya, email is the heart of work.
 Reply to boonality
uguv   05-05-2008 at 10:17:56 PM
- 0 +

I don't think that's a GPO setting. The closest I can find is to force logoff after so many minutes idle. There's always the old "cold boot" method!

Reply to uguv
zenmaster   05-05-2008 at 10:24:36 PM
- 0 +

You need to use a 3rd party solution (That is why it exists) or try one of the other solutions mentioned. Such as making them an administrator or enabling some type of auto-logoff function. I believe MS even has a screen-saver that will do that function.

Message quoted 1 times
------------------------------ If its good in theory but not in practice,
its not good theory.
 Reply to zenmaster
zenmaster   05-05-2008 at 10:28:15 PM
- 0 +

And the idea of giving admin rights to a PC is not necessarily bad.

There are many views on the topic and often depends on how you have your stuff setup.

I know someplaces who give eveyone admin rights, but anytime there is an issue they just blow down a new image remotely in about 10minutes that is customized with their software and their personal configurations.

I know other places that lock it down tight so that the machines rarely break and never need imaging.

Heck some places even have a Read/Only Local Drive with the device being primarily a "Terminal" device.

------------------------------ If its good in theory but not in practice,
its not good theory.
 Reply to zenmaster
4745454b   05-05-2008 at 10:35:45 PM
- 0 +

boonality wrote :

When someone has that ability, all it does is log off the previous user. It does not grant them any access.



I knew that was true for my home machines, I wasn't sure if it would be different with a Domain server. (I didn't think it would, but I didn't want to say something and look like an idiot.) When the admin puts in his password, it logs the current user out, then logs into the admin account.

------------------------------ The voice of REASON
Do NOT feed the TROLLS!
Always a DEMON!
 Reply to 4745454b
MartyG   05-06-2008 at 08:34:20 PM
- 0 +

zenmaster wrote :

You need to use a 3rd party solution (That is why it exists) or try one of the other solutions mentioned. Such as making them an administrator or enabling some type of auto-logoff function. I believe MS even has a screen-saver that will do that function.




So far the best solution would be to automatically log the user off. Unfortunately, if the same user returns, their session is lost.

I have seached for an MS screensaver that allows you to unlock other users and can't find one. I have only found WinExit.

Thanks to all for all of you helpful feedback.

Reply to MartyG
hollett   05-08-2008 at 10:58:26 PM
- 0 +

We have toyed with a similar problem for a while.

Our solution was to give the call centre supervisors a second account so a user called USER1234 also has a second account called USER1234a the second account is in a domain group that is a member of the local admin group but also denied access to interactive logons.

The result of this was to enable the users to log people off using the 'admin' account but not allow them to log on with the account and do any damage.

Reply to hollett
rgarito   07-15-2009 at 06:35:30 PM
- 0 +

I know this is an old thread, but I have found a solution in a third-party screen saver specifically designed for this purpose.

Screen Pass:
[url=https://mmm1408.sanjose14-verio.com/bgrove/workstation-lock-autologoff/enforced-desktop-lock.htm][/url]

Amongst other features, it supports administrative unlock (vs logout), timed logout, group policy administration, select users being able to unlock (vs logout) via active directory groups, etc.

We have been testing this with a few of our clients and it looks really good....

Reply to rgarito
Ask the community Add a reply
Tom's Hardware > Forum > Windows XP > Security Admin > Allow regular user to unlock screensaver locked computer
Go to:

There are 1281 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.459 seconds
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them