We help IT Professionals succeed at work.

How Administrator can unlock computer?

Naj Saqi
Naj Saqi asked
on
At our company we use Windows 7.  Now, when a computer is locked ,we cannot unlock this computer with an administrator account. The last thing I remembered, we disabled Fast user Switching via group policy.

In Windows XP, when a computer is locked, you see the message:
This computer is in use and has been locked
only DOMAIN\user or an administrator can unlock this computer

Is there a way to to this in Windows 7?
Comment
Watch Question

Network Manager
Commented:
The only method we;ve found so far is to use Remote Desktop from another machine to the one that you want to access. that then clears the current login and allows you to log in on that desktop as another user..

Commented:
Hang on... doesn't your Win7 box show the same message "This computer is in use and has been locked..."
or... are you saying that it does display the message, and that it doesn't work when you try it


Naj SaqiSystems Engineer

Author

Commented:
No, in fact, it just shows that this system is locked by this user but there is no way to edit username or administrator can unlock that system. It is weird indeed...

Commented:
... and you don't have the "Switch User" button below?
Top Expert 2013

Commented:
A1opus--And none of the suggestions in my earlier post helped?
Naj SaqiSystems Engineer

Author

Commented:
Graye:

As I told earlier, our Windows machines are in Domain environment and we have disabled Fast Switching...

@jcimaroon:

No, none of above link helped me... and how many times will I use remote desktop to unlock the machines? I need permanent solution or guide...
SteveNetwork Manager

Commented:
but the remote desktop does work for you as well then ?

Thats the only method Ive found that works for us...

Naj SaqiSystems Engineer

Author

Commented:
Lets suppose I am in computer and found couple of locked machines; what should I do? should login to another machine and remote desktop that machine to unlock it? Well, it is good for couple of times but it is not the solution. I know, there are some workarounds but I need solution.
Most Valuable Expert 2013
Commented:
There isn't a way 'round this as long as hide entry points for fast user switching is disabled in the GPO. Unclear if Microsoft have any intention to fix this but the problem has been there since Vista. RDP is currently the only - clunky - workaround (other than actually power cycling the machine)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Here is what I can do on my Windows 7 machine.

First, go to Start -> Run -> control userpasswords2 . In Advanced, check "Require Users to press Ctrl Alt Del"

Now, when I lock the Windows 7 machine, at first it appears only I can unlock it. But there is a Cancel button below. Press Cancel and a userid screen comes up. From here you can switch users.

... Thinkpads_User
Naj SaqiSystems Engineer

Author

Commented:
As I mentioned earlier. We have disabled user Switching via Group Policy......
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If your policy overrides using Ctrl-Alt-Del, then it would look like you are out of luck. I disabled fast User Switching on my own machine (but not by Group Policy), and what I supplied works on my machine.
... Thinkpads_User
Most Valuable Expert 2013

Commented:
The GPO prevents the "double Ctrl-Alt-Del" keypress that was so useful in XP so suspect blocks this in control userpasswords2 as well :(
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
If all that is true, the less clumsy method of remote log-off can be done with
 psshutdown \\machine -o -u user -p password
psshutdown is part of the free PsUtils suite of www.sysinternals.com (owned by Microsoft).
Any access via safemode in an administrator account?
In there you could change the password on the locked out systems?
Naj SaqiSystems Engineer

Author

Commented:
In fact, I am not seeking solution for any special case. What if I go in one of our labs and there are couple of machines locked by users, so what will I do? Should I login to any machine and remote in those locked machines one by one.... It is pathetic... It's a workaround indeed...  I need solution.... There should be an option to unlock machine by administrator's password as it was in XP.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
psshutdown allows for a list of PCs (given manually or as a file). If you really have that lot of PCs you need to log in as another user you can implement a batch file checking all known PCs (or a group, or whatever you like) for the logged in user, and log it off if it isn't the Admin.

The only other suggestion I can give is to reboot the machine. That is pathetic, too, but works.
In my humble opinion..
Seems to me the problem here is the users can create their own password so even an administrator cannot have access there,  this then may not be a windows problem.
Windows 7 and windows Vista all have what is called a hidden administrator account have you tried logging in as that?
Most large companies, like my work place have this same scenerio where every department logs into the server in their own section.... all users have their own account/ password but to their own accounts on the server system.
No other user can access it but an administrator has access all the departments> accounts from the server side. Main System.
Are these systems windows Home basic?
You could disable the UAC
http://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/
Otherwise
You'll have to ask the users declare the passwords for the administrator only.
Seems a commonsense thing to do.
Can't offer anything else sorry but to read another with a similar problem
Computer Locked / Loss Of Authority Of Administration Account
http://windows.bigresource.com/Win7-computer-locked-loss-of-authority-of-Administration-Account-AEHkwFj1.html#8oULdaLZ
Hope you find a solution to this annoying problem.
Regards Merete
Naj SaqiSystems Engineer

Author

Commented:
Merete:

This is not the case at all. Suppose you are a student of any university and use labs as well. You locked your machine before leaving lab and forget next day to unlock it. Now when other user will try to unlock it, she couldn't because there is no option at all, if that user go to IT helpdesk, even administrator cannot unlock that machine because you can edit username but only password. Do you remember, how it used to work in XP. Administrator can change the username.

Commented:
Patient:  Doctor, doctor... it hurts when I raise my arm.    
Doctor: Then don't raise your arm!
It certainly looks like you just need to change the GPO to allow Fast User Switching.   Then everything wll work just like you'd expect.   I mean, you've turned the feature off, and are now complaining that you don't have that feature anymore.
Naj SaqiSystems Engineer

Author

Commented:
Ha ha ha ... Very funny....  Try it again ....


If I disable fast user switching, it is obvious, we don't want it ...

In XP era, when administrator used to unlock the machine, it wasn't user switching... It automatically logs off the current user. So there must be any solution in Windows 7 as well, thats why I opened a question here....
Oh dear seems we have hit a stalemate,
The problem here as I see it
because there is more than one user account on the system that's made it very dificult to bypass any password locked system., if there had been only one then you could get in. You may have experienced this in xp as well.
I think there is no solution here because there is more than one account.
And all administrators?
 I was under the impression these are workstations not shared systems.
Any chance you can get that user back to unlock the system?  :P
Is the account expired?
Windows 7 is pretty secure but there is hacks, I do hate the word but since we can't post links to these types things, I'm sure you understand.
I can offer you the name  KON-BOOT  to google for, it's a dangerous thing in the wrong hands.
KON-BOOT sneeks into Windows and linux kernel on the fly while booting,
It allows users to bypass logon passwords completely by simply booting via the KON-BOOT CD or Floppy disk, in its current incarnation the software has been tested to bypass logon passwords on Windows 7, Windows Vista, Windows XP, Windows Server 2003 /2008, Gentoo, Ubuntu, Debian and Fedora.
Just follow the simple steps ahead to create KON-BOOT bootable CD or Floppy and bypass logon passwords.

Naj SaqiSystems Engineer

Author

Commented:
No dear... My question is not that much confusing, I think... it's a domain machine..... It is obvious that many users use to login on it...... In Windows 7 there is Fast User Switching... If it is enabled, any user can logon while other is already logged in. But we have disabled the Fast user switching.. So therefore now there is no switch option but there is no option to change or edit user as well like XP... So now, administrator or anyother user cannot unlock that machine except the logged in user...

I hope, now confusion should be cleared away...
Most Valuable Expert 2013

Commented:
Which bit of my first post wasn't clear?
Commented:
Yeah but...
The unintended consequences of turning off the Fast User Switching is that you can't perform an Admin unlock procedure.  So, if you turned Fast user Switch back on, you'd be fixed.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
A workaround would be to allow for Fast User Switching, but check on login if another interactive user is logged in already - and rejecting it, but for the Admin. Not what you want, but the best approach if you can't get the "override login" procedure.
Naj SaqiSystems Engineer

Author

Commented:
is there any way to check any other interactive logged on user?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Yes. E.g. with

psloggedon -l -x 2>nul | findstr /v /c:"NT-AUT" /c:"%Username%" /c:"locally" && (
  echo,There is already somebody logged in
  timeout /t 10
  tsdiscon
)

(psloggedon is available from www.sysinternals.com) you get ten seconds until you are logged out.
Naj SaqiSystems Engineer

Author

Commented:
Please delete this question. I didn't find any systematic solution. I appreciate everyone's help but unfortunately, all are the workarounds indeed.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I'm sorry, but "You can't do that" is a valid answer, and has been posted many times here now (by other experts). Either you accept that you can't do it at all with your setup, or you accept that you need to use a workaround, like RDP or switching on Fast User Switch and refusing parallel login as in my script.
Most Valuable Expert 2013

Commented:
Suggest even split:

http:#32957093 Author:PsychoFelix
http:#33082370 Author:MASQUERAID
http:#33082428 Author:Qlemo
http:#33100470 Author:graye
http:#33104316 Author:Qlemo

Qlemo double share because of the useful script.