Sign in with
Sign up | Sign in
Your question

Allow regular user to unlock screensaver locked computer

Last response: in Windows XP
Share
May 5, 2008 3:26:39 PM

We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer.

Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation?

So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP.

Note: I don't want to let just anyone to unlock the computer - I want to be able to select only some users.

Any suggestions?
May 5, 2008 5:00:14 PM

Is taking away the screensaver and setting auto-log-off an option?
May 5, 2008 5:48:33 PM

If your willing to allow them to unlock the computer, is there a reason why you can't bump these "select few" up to admin status?
Related resources
May 5, 2008 6:09:02 PM

That's a tough one. The best method to deploy through GP might be to set workstations to log users off after say 30 minutes of inactivity.

4745454b, that is a very bad idea in most environments.
May 5, 2008 6:22:08 PM

My AD stuff is a little fuzzy. But couldn't you build a user profile that would have rights to do this stuff, like a superuser account? Another possibility is to give say the supervisor a regular production login and a admin login. This is a viable option, because you can track exactly what that admin login is doing easily. We use this system at work on the helpdesk for level 1 and 2 support. I have a regular login, and an admin login. I do 90% of my work in regular production, but can remote in and do lots of other stuff using my admin account using a "run as admin" program if need be.
May 5, 2008 6:56:33 PM

Quote:
4745454b, that is a very bad idea in most environments.


No worse then what he wants already. If you trust them enough to give them the ability to unlock a computer, why not go all the way? Even if there was a way to do what the OP wants, harm could still come. Are these select few trusted or not?
May 5, 2008 7:58:14 PM

When someone has that ability, all it does is log off the previous user. It does not grant them any access.
May 5, 2008 8:17:56 PM

I don't think that's a GPO setting. The closest I can find is to force logoff after so many minutes idle. There's always the old "cold boot" method!
May 5, 2008 8:24:36 PM

You need to use a 3rd party solution (That is why it exists) or try one of the other solutions mentioned. Such as making them an administrator or enabling some type of auto-logoff function. I believe MS even has a screen-saver that will do that function.
May 5, 2008 8:28:15 PM

And the idea of giving admin rights to a PC is not necessarily bad.

There are many views on the topic and often depends on how you have your stuff setup.

I know someplaces who give eveyone admin rights, but anytime there is an issue they just blow down a new image remotely in about 10minutes that is customized with their software and their personal configurations.

I know other places that lock it down tight so that the machines rarely break and never need imaging.

Heck some places even have a Read/Only Local Drive with the device being primarily a "Terminal" device.
May 5, 2008 8:35:45 PM

boonality said:
When someone has that ability, all it does is log off the previous user. It does not grant them any access.


I knew that was true for my home machines, I wasn't sure if it would be different with a Domain server. (I didn't think it would, but I didn't want to say something and look like an idiot.) When the admin puts in his password, it logs the current user out, then logs into the admin account.
May 6, 2008 6:34:20 PM

zenmaster said:
You need to use a 3rd party solution (That is why it exists) or try one of the other solutions mentioned. Such as making them an administrator or enabling some type of auto-logoff function. I believe MS even has a screen-saver that will do that function.



So far the best solution would be to automatically log the user off. Unfortunately, if the same user returns, their session is lost.

I have seached for an MS screensaver that allows you to unlock other users and can't find one. I have only found WinExit.

Thanks to all for all of you helpful feedback.
May 8, 2008 8:58:26 PM

We have toyed with a similar problem for a while.

Our solution was to give the call centre supervisors a second account so a user called USER1234 also has a second account called USER1234a the second account is in a domain group that is a member of the local admin group but also denied access to interactive logons.

The result of this was to enable the users to log people off using the 'admin' account but not allow them to log on with the account and do any damage.
July 15, 2009 4:35:30 PM

I know this is an old thread, but I have found a solution in a third-party screen saver specifically designed for this purpose.

Screen Pass:


Amongst other features, it supports administrative unlock (vs logout), timed logout, group policy administration, select users being able to unlock (vs logout) via active directory groups, etc.

We have been testing this with a few of our clients and it looks really good....
February 10, 2012 6:28:01 PM

MartyG said:
We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer.

Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation?

So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP.

Note: I don't want to let just anyone to unlock the computer - I want to be able to select only some users.

Any suggestions?



This is now an ancient thread, but would this work?:

I have not tried this, but it might be worth testing.
Create a local user and give it admin rights. Then in group policy, under User Rights, deny the account from logging on locally.
Share this account, so someone could use it to log off the current user, but not actually log on with admin rights.
Then the user could logon with their own account.
thoughts?
!