Solved

Permission to unlock a workstation

Posted on 2006-06-20
10
1,328 Views
Last Modified: 2008-01-09
Normally, when a workstation that is on a domain is locked (either manually or by the screensaver), windows prompts you that only the administrator or the user logged on can unlock this workstation. Is it possible to give a non-administrator rights to be able to log a domain user off the computer?
0
Comment
Question by:DVation191
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
not that i am aware of, this is just the way windows works from what i have dealt with
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 300 total points
Comment Utility
It's not asking for a DOMAIN administrator actually, it's just a LOCAL administrator that needs to do this.. so you can either give your users local administrator priveliges, OR they can just use CTRL-ALT-DEL twice to reboot the machine.  The fact is that if they were to log in anyhow, it wouldn't save any work that may have been open by the previous user.  So rebooting would end up with the same results.

Jeff
TechSoEasy
0
 
LVL 2

Assisted Solution

by:Dave Robinson
Dave Robinson earned 200 total points
Comment Utility
Tech is right about the Local Admin rights. I've done this in a school environment before.
You can create an "Unlock PC" Group, and add any users to this group that you wish to unlock your PC's.
Then just create a batch file that adds the Unlock PC group to the local administrator group. Put this in your group policy settings, and walla! The script runs on all PC's & any users from that group can unlock PC's.

Here is the contents of a sample batch file where User Administrators is the name of the group. Paste this into notepad & save as filename.bat

----------------------------------
net localgroup Administrators /add "domain.local\User Administrators"
----------------------------------

What is worth adding, is that pressing Ctrl-alt-del doesn't do anything (XP SP2), and secondly - when it did used to do something, it just rebooted your PC as if you pulled the plug out the back which is not a good way about doing things.
Using the correct way of Unlocking / logging out other users still keeps profile information correct / uploads the latest profile information back to the server. Pulling the Plug out / cntrl-alt-del / restarting the pc can lead to profile corruption.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
The whole reason that this is only allowed by admins, by the way, is that you are authorizing a possible loss of data.  If the person left something open and was working on it when the computer was locked, only their login will unlock it back to the desktop they were working on.  All other logins will log the original user off without saving what was open.  So even if you do add these other users, it doesn't make much sense to me... since a reboot will accomplish the same thing... and often its quicker.

Jeff
TechSoEasy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
don't give admin rights out like candy though.........this is kept to the admin for good reasoning as Jeff has already mentioned, if you start playing with this you are going to be asking for trouble in my opinion
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Expert Comment

by:Dave Robinson
Comment Utility
You are correct Jeff in regards to any documents that have been open. Forcing logoff will close any open programs the user had open, and not save any open documents - but I was speaking about the users profile.
If you have roaming profiles setup, then on Logon the PC pulls down the profile from the server. If the user makes any changes to the profile then simple restarting the PC will not replicate those changes back to the server.
Forcing Logoff will make the PC logoff in the correct way, and so be less likely to lead to profile corruption.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
That's true... if we could only get a response from the asker to know if roaming profiles are in use.  I don't use them, so I tend to not think about those things.

Jeff
TechSoEasy
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
I'll start testing some of these suggestions. No, roaming profiles aren't used.

Also, being very familiar with the applications in use at this organization, the only "work" that might be lost is that used in MS Office applications. However group policy is set to autosave all work every 2 minutes, so no data should be lost by forcing a log off. Users are also required (although this is not enforced by group policy) to log off before going home so we can perform maintainence. If a user is still logged on we need to be able to unlock the workstation.

Although I'm almost positive this isn't possible, it would be great if we could actually just "unlock" the workstation instead of "unlock and log off current user". Then we could see what work is still opened. Only way I can see that happening is by resetting the domain password.
0
 
LVL 2

Expert Comment

by:Dave Robinson
Comment Utility
Correct, without knowing that users domain password you cannot just Unlock the PC. You can only Unlock & LogOff that user.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
There is a special WinXP screen saver that will auto-logoff a user and close out their programs (winexit.scr), if you're interested:
http://support.microsoft.com/kb/314999

Jeff
TechSoEasy
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now