[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

When RDP'd into a machine, prevent users from logging "Admin" account out?

Posted on 2009-04-21
11
Medium Priority
?
421 Views
Last Modified: 2012-05-06
When logged into a machine as a domain/local Administrator, I'd like to prevent other users from logging in and killing my session. For example, when installing Service Pack 3, another user can walk up to the machine and log in (the screen would show "This computer has been locked by "Administrator"), stopping the service pack installation.

I want to set this policy domain-wide through a group policy, and not rely on local settings if possible.

Thanks,
Matt
0
Comment
Question by:mattboy_slim
  • 3
  • 3
  • 3
  • +2
11 Comments
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 24197543
Just to confirm your scenario...

You are logged in via RDP as a domain administrator to SERVERA or WORKSTATIONA. Another user with domain or local administrator credentials walks up to the server or workstation and sees the message that another user is logged in, but they try to log in anyways.

If that is an accurate account of your issue then you cannot stop that. If the person has domain / local admin rights then they can log other users off.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 1000 total points
ID: 24197553

Use
"Deny log off of an administrator logged in to the console session "
 
http://www.boyce.us/gp/gpcontent.asp?ID=276 
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 24197572
I'm not sure if there is a good answer for this, but I will try.

1) If the user account is not an administrator, they cannot log an administrator off.  Did you set the local user to be part of the local admins group on the computer?  This might fix the problem.

2) I would not be installing SP 3 interactively anyway.  You can download the update and install it using Group Policy.  

3) Although, I would prefer using WSUS for this if it is an option.  

Let me know if this helps.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24197575
Are these users also potentially domain admins too?
 
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 24197583
Ill be damned... nice find dstewartjr!
0
 
LVL 2

Author Comment

by:mattboy_slim
ID: 24197735
dfxdeimos, that may be the setting I'm looking for. The users who are kicking the "Administrator" account off though are not local or domain admins, which is why I was getting frustrated with the problem. I'll test this and get back here in a couple of hours/days to update.

Thanks,
Matt
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 24197748
The real question is, what are you trying to do? Are you trying to deploy SP3? If so, you don't want to log onto each workstation and do it individually.

You either want to use WSUS or push it out via a GPO.
0
 
LVL 2

Author Comment

by:mattboy_slim
ID: 24197792
We have about 60 unique machine configurations, so I'm testing it on one of each configuration before deployment. I've been doing about 1/2 per day to test everything on the machines before deploying it domain-wide.

So no, that is NOT the real question. The real question was the question that I asked.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24197802
You say "dfxdeimos, that may be the setting I'm looking for."
 
I provided you with a setting :-) , not dfxdeimos
0
 
LVL 2

Author Comment

by:mattboy_slim
ID: 24197811
Sorry, I copy/pasted the wrong name. So dstewartjr, thanks, that may be the setting I'm looking for :)
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24197823
LOL....just keeping tabs
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question