Solved

Ability to share one account profile for multiple users

Posted on 2004-04-09
14
427 Views
Last Modified: 2013-12-04
I need a solution for the following scenario.  We have many "robot stations" that control instruments and experiments that may take in upwards of 7 days to complete. Once the machine logs off the application is ended so the session that starts the application must remain logged in until it  completes. These stations are mostly Windows 2000 Pro. Currently they are using one domain account to run the experiment. As the application runs it is not uncommon for a team of people to need access that session from time to time and look  at the screen and 'play' with the application.  This worked for a while and was ok since it was a small group of people.  However now this team has increased 5 fold and there is now a security problem since global account requires local admin rights. What we like to do is have the ability for these machines to run these applications and have each person use thier own personal global domain account to unlock the screen and show the running application.
In a nutshell  is it possible to limit the number of profile sessions on a machine to 1  but have a way that if anyone with specific group membership can open and look at the original session that began without knowledge of that original global account.  Or better yet,
can we get rid of that original global account entirely and have the machine setup so that anyone in this group can begin a session  that shares with everyone else in that group?
0
Comment
Question by:thomburke
  • 8
  • 6
14 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10796451
Step-by-Step Guide to Using Secondary Logon in Windows 2000 (runas.exe)
http://www.microsoft.com/windows2000/techinfo/planning/management/seclogon.asp

HOW TO Enable and Use the RunAs Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676

You have to start the runas-service if you want to use runas.exe
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/sys_srv_secondary_logon.htm

Runas has several parameters:
1. Start / Run
2. Input CMD
3. Press Enter
4. Input RUNAS /?
5. Press Enter
6. --- find the parameters you want to use ---
7. Input EXIT
8. Press Enter.

Remember NOT to use runas with administrators logon in a batch-job, because then you have to input administrators password, thus compromizing your security.
Instead use RunAs Professional
http://www.mast-computer.de/


Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:thomburke
ID: 10797698
Thank you for the effort however this has been explored already and is not a solution.
All team members already know the global accout that is in the workstations local admins. We were trying to find a way they didn't have to know that.
Let me try to explain this scenario with an example that may help.

MyDomain\Instrument = global domain user account with local admin privs to the workstation that must be used to start this application.
MyDomain\Tom = domain user account of team member
MyDomain\Jane - domain user account of team member

On Monday MyDomain\Instrument begins the application that takes 5 days to finish it's job and displays a bunch of graphs while it runs.
(This is usually done by same person each time, or can make policy that must be this way as long as we are limiting the knowledge of that user to a few people/managers it is acceptable).

The workstation locks.

Tuesday MyDomain\Tom needs to look into the progress of the application hits Cntrl+Alt+Del to unlock station, he cannot do so without

0
 

Author Comment

by:thomburke
ID: 10797747
(accidently hit submit).... to continue example:

The workstation locks.

Tuesday MyDomain\Tom or MyDomain\Jane needs to look into the progress of the application in its original session and hits Cntrl+Alt+Del to unlock station, they cannot do so without knowledge of the MyDomain\Instrument account password.

Right now we are exploring Terminal Services as a solution. Making just prohibiting the user from physically going to the workstation and making them view the MyDomain\Instrument session remotely having the TS session start automatically with MyDomain\Instrument however this entails changing all workstations to Win2K

0
 

Author Comment

by:thomburke
ID: 10797767
Ack I meant to say " entails changing all workstations to Win2K Server"  :-)
 Your answer may work if you can explain to me how it would get by the above scenario.  Perhaps we am not understanding the Runas secondary logon as much as I thought.

Best,
Tom
0
 

Author Comment

by:thomburke
ID: 10797788
Addendum  we looked into Runas Professional  , management will not spend the money :-|
We are thinking this can be done with M$ native tools we already are licensed for or can buy. They are very Microsoft vanilla when it comes to solutions.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10800433
Any supposed solution involves the ability to do something that requires to be member of the LOCAL admin group.

And that's a security risk - I really agree with you, and I deals with that in http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

An even greater security risk is the DOMAIN admin group. Never consider this group for your question.

But there's no way out for you, you have to place your MyDomain\Instrument user in the LOCAL admin group. That's not the same as giving MyDomain\Instrument more than normal domain users permissions on your servers.

Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm

How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers
http://support.microsoft.com/default.aspx?kbid=272530

members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER


0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10800435
Saying that I also have to warn you ...

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10800440
>"However now this team has increased 5 fold"

VNC - Remote connection - (GNU General Public Licence)
http://www.uk.research.att.com/vnc/download.html

DameWare NT Utilities Information:
http://www.dameware.com/products/dntu/

30 days free trial download DameWare NT Utilities (MSI)
"The following download links are for Windows XP, Windows 2000 and Windows NT 4.0 with the Microsoft Installer installed.":
http://www.dameware.com/download/

BUT - as stated above - using these tools requires membership of LOCALl admin group
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10800445
Maybe a solution could be to create a custom gina, but that requires that you have programming skills, to fulfill the possibillity to create your own compiled exe-program to run your "robot stations"-application and have it's own password-screensaver, where you defines what's being done.

Implement a User Based Custom Shell (Windows 2000/XP)
http://www.winguides.com/registry/display.php/849/

Replacing the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL)
http://www.microsoft.com/windows2000/docs/msgina.doc

AutoIt v3 is free an BASIC-like scripting language with compiler
http://www.hiddensoft.com/autoit3/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10800453
BTW - Maybe the solution is more simple than that ....

Can your "robot stations"-application run without being member of the local admin group ?

If so - why not use a password-protected screensaver (without locking the computer with ctrl-alt-del)?

Screen Saver Password Protection Policy (Windows 2000/XP)
http://www.winguides.com/search.php?guide=registry&keywords=screensaver
0
 

Author Comment

by:thomburke
ID: 10802001
There seems to be no "canned"  secure way to share the original session among users of a common domain group that is without giving them access to the MyDomain\Instrument account.

I suppose I needed a second opinion and you seem to be very knowledgable and trust your judgements.

Unfortunately, there is no way around the local admin rights, for lack of a better term the application is what I call "garage-ware" and is not written as client/server which if it were, make this problem go away.

Here is the solution we are going to go with which essentially is a combination of policy and scripting.

1 - Each team member gets the application loaded locally.
2 - The  instrument application has the ability to be paused thereby unlocking the database files for  backup.
3 - Each team member that needs to view the progress has a vbscript that copies the db to local station, restarts original program.   The other way this could be done would be just to have db snapshot itself to a common share somewhere on network and send an alert to all team members of the snapshot and location at predefined intervals.
4 - The user(s) then reviews data , makes their the fine tuning suggestions they would like to do with the application and forwards this information to the original MyDomain\Intrument user who then can make the adjustments that need to take place or end the experimetn etc...

Step 4 will be a policy they need to come up with themsleves and IT will just accomodate.

I thank you for your suggestions and ability for me to bounce this around for possible solutions.  

I like to award Jorgen Malmgren (trywaredk) the points and put this to rest.

Best,
Tom

Best,
Tom
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10802085
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10802105
:o) Sorry - I received an email about your comment 04/11/2004 10:24PM CEST (without message of Accepted Answer), and I posted the link to help pages, before I received the email about Accepted Answer.

21 minuts between the 2 emails.

:o) Glad I could help you - thank you for the points
0
 

Author Comment

by:thomburke
ID: 10802164
No problrm , thanks for the input.
cya
Tom
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now