thomburke
asked on
Ability to share one account profile for multiple users
I need a solution for the following scenario. We have many "robot stations" that control instruments and experiments that may take in upwards of 7 days to complete. Once the machine logs off the application is ended so the session that starts the application must remain logged in until it completes. These stations are mostly Windows 2000 Pro. Currently they are using one domain account to run the experiment. As the application runs it is not uncommon for a team of people to need access that session from time to time and look at the screen and 'play' with the application. This worked for a while and was ok since it was a small group of people. However now this team has increased 5 fold and there is now a security problem since global account requires local admin rights. What we like to do is have the ability for these machines to run these applications and have each person use thier own personal global domain account to unlock the screen and show the running application.
In a nutshell is it possible to limit the number of profile sessions on a machine to 1 but have a way that if anyone with specific group membership can open and look at the original session that began without knowledge of that original global account. Or better yet,
can we get rid of that original global account entirely and have the machine setup so that anyone in this group can begin a session that shares with everyone else in that group?
In a nutshell is it possible to limit the number of profile sessions on a machine to 1 but have a way that if anyone with specific group membership can open and look at the original session that began without knowledge of that original global account. Or better yet,
can we get rid of that original global account entirely and have the machine setup so that anyone in this group can begin a session that shares with everyone else in that group?
ASKER
Thank you for the effort however this has been explored already and is not a solution.
All team members already know the global accout that is in the workstations local admins. We were trying to find a way they didn't have to know that.
Let me try to explain this scenario with an example that may help.
MyDomain\Instrument = global domain user account with local admin privs to the workstation that must be used to start this application.
MyDomain\Tom = domain user account of team member
MyDomain\Jane - domain user account of team member
On Monday MyDomain\Instrument begins the application that takes 5 days to finish it's job and displays a bunch of graphs while it runs.
(This is usually done by same person each time, or can make policy that must be this way as long as we are limiting the knowledge of that user to a few people/managers it is acceptable).
The workstation locks.
Tuesday MyDomain\Tom needs to look into the progress of the application hits Cntrl+Alt+Del to unlock station, he cannot do so without
All team members already know the global accout that is in the workstations local admins. We were trying to find a way they didn't have to know that.
Let me try to explain this scenario with an example that may help.
MyDomain\Instrument = global domain user account with local admin privs to the workstation that must be used to start this application.
MyDomain\Tom = domain user account of team member
MyDomain\Jane - domain user account of team member
On Monday MyDomain\Instrument begins the application that takes 5 days to finish it's job and displays a bunch of graphs while it runs.
(This is usually done by same person each time, or can make policy that must be this way as long as we are limiting the knowledge of that user to a few people/managers it is acceptable).
The workstation locks.
Tuesday MyDomain\Tom needs to look into the progress of the application hits Cntrl+Alt+Del to unlock station, he cannot do so without
ASKER
(accidently hit submit).... to continue example:
The workstation locks.
Tuesday MyDomain\Tom or MyDomain\Jane needs to look into the progress of the application in its original session and hits Cntrl+Alt+Del to unlock station, they cannot do so without knowledge of the MyDomain\Instrument account password.
Right now we are exploring Terminal Services as a solution. Making just prohibiting the user from physically going to the workstation and making them view the MyDomain\Instrument session remotely having the TS session start automatically with MyDomain\Instrument however this entails changing all workstations to Win2K
The workstation locks.
Tuesday MyDomain\Tom or MyDomain\Jane needs to look into the progress of the application in its original session and hits Cntrl+Alt+Del to unlock station, they cannot do so without knowledge of the MyDomain\Instrument account password.
Right now we are exploring Terminal Services as a solution. Making just prohibiting the user from physically going to the workstation and making them view the MyDomain\Instrument session remotely having the TS session start automatically with MyDomain\Instrument however this entails changing all workstations to Win2K
ASKER
Ack I meant to say " entails changing all workstations to Win2K Server" :-)
Your answer may work if you can explain to me how it would get by the above scenario. Perhaps we am not understanding the Runas secondary logon as much as I thought.
Best,
Tom
Your answer may work if you can explain to me how it would get by the above scenario. Perhaps we am not understanding the Runas secondary logon as much as I thought.
Best,
Tom
ASKER
Addendum we looked into Runas Professional , management will not spend the money :-|
We are thinking this can be done with M$ native tools we already are licensed for or can buy. They are very Microsoft vanilla when it comes to solutions.
We are thinking this can be done with M$ native tools we already are licensed for or can buy. They are very Microsoft vanilla when it comes to solutions.
Any supposed solution involves the ability to do something that requires to be member of the LOCAL admin group.
And that's a security risk - I really agree with you, and I deals with that in https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
An even greater security risk is the DOMAIN admin group. Never consider this group for your question.
But there's no way out for you, you have to place your MyDomain\Instrument user in the LOCAL admin group. That's not the same as giving MyDomain\Instrument more than normal domain users permissions on your servers.
Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm
How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers
http://support.microsoft.com/default.aspx?kbid=272530
members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
And that's a security risk - I really agree with you, and I deals with that in https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
An even greater security risk is the DOMAIN admin group. Never consider this group for your question.
But there's no way out for you, you have to place your MyDomain\Instrument user in the LOCAL admin group. That's not the same as giving MyDomain\Instrument more than normal domain users permissions on your servers.
Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm
How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers
http://support.microsoft.com/default.aspx?kbid=272530
members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
Saying that I also have to warn you ...
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html
>"However now this team has increased 5 fold"
VNC - Remote connection - (GNU General Public Licence)
http://www.uk.research.att.com/vnc/download.html
DameWare NT Utilities Information:
http://www.dameware.com/products/dntu/
30 days free trial download DameWare NT Utilities (MSI)
"The following download links are for Windows XP, Windows 2000 and Windows NT 4.0 with the Microsoft Installer installed.":
http://www.dameware.com/download/
BUT - as stated above - using these tools requires membership of LOCALl admin group
VNC - Remote connection - (GNU General Public Licence)
http://www.uk.research.att.com/vnc/download.html
DameWare NT Utilities Information:
http://www.dameware.com/products/dntu/
30 days free trial download DameWare NT Utilities (MSI)
"The following download links are for Windows XP, Windows 2000 and Windows NT 4.0 with the Microsoft Installer installed.":
http://www.dameware.com/download/
BUT - as stated above - using these tools requires membership of LOCALl admin group
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW - Maybe the solution is more simple than that ....
Can your "robot stations"-application run without being member of the local admin group ?
If so - why not use a password-protected screensaver (without locking the computer with ctrl-alt-del)?
Screen Saver Password Protection Policy (Windows 2000/XP)
http://www.winguides.com/search.php?guide=registry&keywords=screensaver
Can your "robot stations"-application run without being member of the local admin group ?
If so - why not use a password-protected screensaver (without locking the computer with ctrl-alt-del)?
Screen Saver Password Protection Policy (Windows 2000/XP)
http://www.winguides.com/search.php?guide=registry&keywords=screensaver
ASKER
There seems to be no "canned" secure way to share the original session among users of a common domain group that is without giving them access to the MyDomain\Instrument account.
I suppose I needed a second opinion and you seem to be very knowledgable and trust your judgements.
Unfortunately, there is no way around the local admin rights, for lack of a better term the application is what I call "garage-ware" and is not written as client/server which if it were, make this problem go away.
Here is the solution we are going to go with which essentially is a combination of policy and scripting.
1 - Each team member gets the application loaded locally.
2 - The instrument application has the ability to be paused thereby unlocking the database files for backup.
3 - Each team member that needs to view the progress has a vbscript that copies the db to local station, restarts original program. The other way this could be done would be just to have db snapshot itself to a common share somewhere on network and send an alert to all team members of the snapshot and location at predefined intervals.
4 - The user(s) then reviews data , makes their the fine tuning suggestions they would like to do with the application and forwards this information to the original MyDomain\Intrument user who then can make the adjustments that need to take place or end the experimetn etc...
Step 4 will be a policy they need to come up with themsleves and IT will just accomodate.
I thank you for your suggestions and ability for me to bounce this around for possible solutions.
I like to award Jorgen Malmgren (trywaredk) the points and put this to rest.
Best,
Tom
Best,
Tom
I suppose I needed a second opinion and you seem to be very knowledgable and trust your judgements.
Unfortunately, there is no way around the local admin rights, for lack of a better term the application is what I call "garage-ware" and is not written as client/server which if it were, make this problem go away.
Here is the solution we are going to go with which essentially is a combination of policy and scripting.
1 - Each team member gets the application loaded locally.
2 - The instrument application has the ability to be paused thereby unlocking the database files for backup.
3 - Each team member that needs to view the progress has a vbscript that copies the db to local station, restarts original program. The other way this could be done would be just to have db snapshot itself to a common share somewhere on network and send an alert to all team members of the snapshot and location at predefined intervals.
4 - The user(s) then reviews data , makes their the fine tuning suggestions they would like to do with the application and forwards this information to the original MyDomain\Intrument user who then can make the adjustments that need to take place or end the experimetn etc...
Step 4 will be a policy they need to come up with themsleves and IT will just accomodate.
I thank you for your suggestions and ability for me to bounce this around for possible solutions.
I like to award Jorgen Malmgren (trywaredk) the points and put this to rest.
Best,
Tom
Best,
Tom
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
:o) Sorry - I received an email about your comment 04/11/2004 10:24PM CEST (without message of Accepted Answer), and I posted the link to help pages, before I received the email about Accepted Answer.
21 minuts between the 2 emails.
:o) Glad I could help you - thank you for the points
21 minuts between the 2 emails.
:o) Glad I could help you - thank you for the points
ASKER
No problrm , thanks for the input.
cya
Tom
cya
Tom
http://www.microsoft.com/windows2000/techinfo/planning/management/seclogon.asp
HOW TO Enable and Use the RunAs Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676
You have to start the runas-service if you want to use runas.exe
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/sys_srv_secondary_logon.htm
Runas has several parameters:
1. Start / Run
2. Input CMD
3. Press Enter
4. Input RUNAS /?
5. Press Enter
6. --- find the parameters you want to use ---
7. Input EXIT
8. Press Enter.
Remember NOT to use runas with administrators logon in a batch-job, because then you have to input administrators password, thus compromizing your security.
Instead use RunAs Professional
http://www.mast-computer.de/
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open