• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Ability to share one account profile for multiple users

I need a solution for the following scenario.  We have many "robot stations" that control instruments and experiments that may take in upwards of 7 days to complete. Once the machine logs off the application is ended so the session that starts the application must remain logged in until it  completes. These stations are mostly Windows 2000 Pro. Currently they are using one domain account to run the experiment. As the application runs it is not uncommon for a team of people to need access that session from time to time and look  at the screen and 'play' with the application.  This worked for a while and was ok since it was a small group of people.  However now this team has increased 5 fold and there is now a security problem since global account requires local admin rights. What we like to do is have the ability for these machines to run these applications and have each person use thier own personal global domain account to unlock the screen and show the running application.
In a nutshell  is it possible to limit the number of profile sessions on a machine to 1  but have a way that if anyone with specific group membership can open and look at the original session that began without knowledge of that original global account.  Or better yet,
can we get rid of that original global account entirely and have the machine setup so that anyone in this group can begin a session  that shares with everyone else in that group?
0
thomburke
Asked:
thomburke
  • 8
  • 6
1 Solution
 
trywaredkCommented:
Step-by-Step Guide to Using Secondary Logon in Windows 2000 (runas.exe)
http://www.microsoft.com/windows2000/techinfo/planning/management/seclogon.asp

HOW TO Enable and Use the RunAs Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676

You have to start the runas-service if you want to use runas.exe
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/sys_srv_secondary_logon.htm

Runas has several parameters:
1. Start / Run
2. Input CMD
3. Press Enter
4. Input RUNAS /?
5. Press Enter
6. --- find the parameters you want to use ---
7. Input EXIT
8. Press Enter.

Remember NOT to use runas with administrators logon in a batch-job, because then you have to input administrators password, thus compromizing your security.
Instead use RunAs Professional
http://www.mast-computer.de/


Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
thomburkeAuthor Commented:
Thank you for the effort however this has been explored already and is not a solution.
All team members already know the global accout that is in the workstations local admins. We were trying to find a way they didn't have to know that.
Let me try to explain this scenario with an example that may help.

MyDomain\Instrument = global domain user account with local admin privs to the workstation that must be used to start this application.
MyDomain\Tom = domain user account of team member
MyDomain\Jane - domain user account of team member

On Monday MyDomain\Instrument begins the application that takes 5 days to finish it's job and displays a bunch of graphs while it runs.
(This is usually done by same person each time, or can make policy that must be this way as long as we are limiting the knowledge of that user to a few people/managers it is acceptable).

The workstation locks.

Tuesday MyDomain\Tom needs to look into the progress of the application hits Cntrl+Alt+Del to unlock station, he cannot do so without

0
 
thomburkeAuthor Commented:
(accidently hit submit).... to continue example:

The workstation locks.

Tuesday MyDomain\Tom or MyDomain\Jane needs to look into the progress of the application in its original session and hits Cntrl+Alt+Del to unlock station, they cannot do so without knowledge of the MyDomain\Instrument account password.

Right now we are exploring Terminal Services as a solution. Making just prohibiting the user from physically going to the workstation and making them view the MyDomain\Instrument session remotely having the TS session start automatically with MyDomain\Instrument however this entails changing all workstations to Win2K

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
thomburkeAuthor Commented:
Ack I meant to say " entails changing all workstations to Win2K Server"  :-)
 Your answer may work if you can explain to me how it would get by the above scenario.  Perhaps we am not understanding the Runas secondary logon as much as I thought.

Best,
Tom
0
 
thomburkeAuthor Commented:
Addendum  we looked into Runas Professional  , management will not spend the money :-|
We are thinking this can be done with M$ native tools we already are licensed for or can buy. They are very Microsoft vanilla when it comes to solutions.
0
 
trywaredkCommented:
Any supposed solution involves the ability to do something that requires to be member of the LOCAL admin group.

And that's a security risk - I really agree with you, and I deals with that in http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

An even greater security risk is the DOMAIN admin group. Never consider this group for your question.

But there's no way out for you, you have to place your MyDomain\Instrument user in the LOCAL admin group. That's not the same as giving MyDomain\Instrument more than normal domain users permissions on your servers.

Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm

How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers
http://support.microsoft.com/default.aspx?kbid=272530

members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER


0
 
trywaredkCommented:
Saying that I also have to warn you ...

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

0
 
trywaredkCommented:
>"However now this team has increased 5 fold"

VNC - Remote connection - (GNU General Public Licence)
http://www.uk.research.att.com/vnc/download.html

DameWare NT Utilities Information:
http://www.dameware.com/products/dntu/

30 days free trial download DameWare NT Utilities (MSI)
"The following download links are for Windows XP, Windows 2000 and Windows NT 4.0 with the Microsoft Installer installed.":
http://www.dameware.com/download/

BUT - as stated above - using these tools requires membership of LOCALl admin group
0
 
trywaredkCommented:
Maybe a solution could be to create a custom gina, but that requires that you have programming skills, to fulfill the possibillity to create your own compiled exe-program to run your "robot stations"-application and have it's own password-screensaver, where you defines what's being done.

Implement a User Based Custom Shell (Windows 2000/XP)
http://www.winguides.com/registry/display.php/849/

Replacing the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL)
http://www.microsoft.com/windows2000/docs/msgina.doc

AutoIt v3 is free an BASIC-like scripting language with compiler
http://www.hiddensoft.com/autoit3/
0
 
trywaredkCommented:
BTW - Maybe the solution is more simple than that ....

Can your "robot stations"-application run without being member of the local admin group ?

If so - why not use a password-protected screensaver (without locking the computer with ctrl-alt-del)?

Screen Saver Password Protection Policy (Windows 2000/XP)
http://www.winguides.com/search.php?guide=registry&keywords=screensaver
0
 
thomburkeAuthor Commented:
There seems to be no "canned"  secure way to share the original session among users of a common domain group that is without giving them access to the MyDomain\Instrument account.

I suppose I needed a second opinion and you seem to be very knowledgable and trust your judgements.

Unfortunately, there is no way around the local admin rights, for lack of a better term the application is what I call "garage-ware" and is not written as client/server which if it were, make this problem go away.

Here is the solution we are going to go with which essentially is a combination of policy and scripting.

1 - Each team member gets the application loaded locally.
2 - The  instrument application has the ability to be paused thereby unlocking the database files for  backup.
3 - Each team member that needs to view the progress has a vbscript that copies the db to local station, restarts original program.   The other way this could be done would be just to have db snapshot itself to a common share somewhere on network and send an alert to all team members of the snapshot and location at predefined intervals.
4 - The user(s) then reviews data , makes their the fine tuning suggestions they would like to do with the application and forwards this information to the original MyDomain\Intrument user who then can make the adjustments that need to take place or end the experimetn etc...

Step 4 will be a policy they need to come up with themsleves and IT will just accomodate.

I thank you for your suggestions and ability for me to bounce this around for possible solutions.  

I like to award Jorgen Malmgren (trywaredk) the points and put this to rest.

Best,
Tom

Best,
Tom
0
 
trywaredkCommented:
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
trywaredkCommented:
:o) Sorry - I received an email about your comment 04/11/2004 10:24PM CEST (without message of Accepted Answer), and I posted the link to help pages, before I received the email about Accepted Answer.

21 minuts between the 2 emails.

:o) Glad I could help you - thank you for the points
0
 
thomburkeAuthor Commented:
No problrm , thanks for the input.
cya
Tom
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now