• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Give some domain user access to unlock the PC


I am working in a hospital and we have 300 PC. Some computer in ICU and some area the user leave the computer, after time the computer will be locked. When an another user want to use the PC he is doing one of two thing
1)      force to shut down the PC( some PC will have OS error after this action)
2)      or call the user (some time the user left hospital)

How can I give some user access to unlock the PC to prevent this two action.
Because it is becoming a big problem in our hospital.

we are 2003 AD and PC is XP
0
AliQahtani
Asked:
AliQahtani
  • 10
  • 8
  • 7
  • +3
3 Solutions
 
Pro_Commented:
http://www.ensuretech.com/ or http://download.cnet.com/Mouselock/3000-2409_4-10073757.html are some options.

The only other option is to get users to logout properly, use a generic login / get users to connect to TS sessions on 1 PC etc
0
 
ShareefHuddleCommented:
Give those users local admin rights to pc or create one universal user per machine and just setup your apps so they need individual user credentials. Train users to make sure they are the user logged into apps.
0
 
Todd GerbertIT ConsultantCommented:
Perhaps a screen saver that will log out the current user after 10 minutes or so...
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jodix2002Commented:
I think you can use something like this:
http://support.microsoft.com/kb/314999
0
 
AliQahtaniAuthor Commented:
we can not force to log out after time period, some time the nurse will work in one of the application and leave it because she need to see take care for one of the ICU patient and come back to continue her work.


the other thing the hospital have a medical college and the nurse and doctor change a lot in hospital.
0
 
AwinishCommented:
<!--[if gte mso 9]>       1024x768 <![endif]--><!--[if gte mso 9]>   Normal  0          false  false  false    EN-US  X-NONE  X-NONE                                                                          <![endif]--><!--[if gte mso 9]>                                                                                                                                                                                                                                                                                    <![endif]--><!--[if gte mso 10]><![endif]-->I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicy
loopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
AwinishCommented:
I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicyloopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
AliQahtaniAuthor Commented:
the hospital policy is to have a screen saver and password protection.
0
 
AwinishCommented:
Disable only for ICU system as you have to give them local admin right to disable screensaver.
 
0
 
AliQahtaniAuthor Commented:
i discussed this solution with QA (Quality Assurance)  department they said you can not disable the screen save and password protection in these system.

the only thing that is not against the policy is to give them a right to unlock the PC.
i do not want to give the user local Admin access. i want to give them unlock access.
0
 
AwinishCommented:
Then this tool can do the trick.

http://www.e-motional.com/ULAdmin.htm
0
 
AliQahtaniAuthor Commented:
is there another way to do it rather than using the tool?
0
 
AwinishCommented:
Apart from making member of local admin group,disabling through loopback policy & tools, i can't think of anything more now..:)

Its your call now, coz something always comes with pros & cons. I can understand your dilemma due to QA, it happens as people fails there is in & out to achieve something.



0
 
Todd GerbertIT ConsultantCommented:
Even an administrator can't unlock a PC; when an administrator enters his username/password at a locked PC it forcefully logs off the current user.  With Windows alone, the only two options are for the current user to enter his password, or for an administrator to forcefully log off the current user.
At a quick glance, it looks like http:#34082980 is your best bet.  I can't see any other way besides such a program that implements an alternative GINA.
The only other thing that comes to mind is to upgrade to Windows 7, which will allow multiple users to remain logged on simultaneously.
0
 
AliQahtaniAuthor Commented:
can we give the user access to log off the user out from his session.
0
 
AwinishCommented:
Again that will kill users session & any open files will be closed w/o saving the changes & to achieve all this still you require local admin membership access.

0
 
AliQahtaniAuthor Commented:
we agreed with user and the QA department if the user leave the ICU unite with out log off from the PC he will lose his work.
this way the user will save there work and log off from the PC regular.  
0
 
AwinishCommented:
Somewhere you have to compromise..
0
 
Todd GerbertIT ConsultantCommented:
You can use the WinExit screen saver, included with the Windows 2003 Resource Kit, to automatically logoff users after a period of inactivity.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en 
0
 
AliQahtaniAuthor Commented:
there is a way to give the user access to log off the locked PC.
0
 
Todd GerbertIT ConsultantCommented:
Care to enlighten us? How are you able to do that?
0
 
AliQahtaniAuthor Commented:
sorry i made a type mistake

is there a way to give the user access to log off the locked PC?
0
 
AwinishCommented:
Considerable solution has been given, apart from that, i can't think of anymore now.
0
 
Todd GerbertIT ConsultantCommented:
No, as was already pointed out even an administrator can only forcefully log off the current user if the workstation is locked, and cannot simply unlock it.
0
 
Todd GerbertIT ConsultantCommented:
It's probably worth pointing out that even if you could allow users to unlock a workstation, without logging off the current user, that's very nearly (not quite, but almost) the same thing as creating a generic username and giving everyone the password to this one account - instead of giving each user their own personal login.

In both cases you won't be able to reliably track what user performed what actions, nor will their documents & files be protected/private.
0
 
AwinishCommented:
Single user-name & password to multiple guys can be really a threat & almost impossible to track & its very much inviting more problems..:)
0
 
Todd GerbertIT ConsultantCommented:
Agreed - that's kind of my point.  I think either approach (either a single username, or allowing users to unlock another's workstation) is a bad idea and a different avenue altogether should be pursued.

Imagine you log onto a workstation, and walk away without logging off - allowing it to lock.  Then I walk up to the same computer, and unlock it without logging you off.  Then I delete some database records; the logs will show that Awinish modified the database, not tgerbert.  I could also read your email (probably), and modify/delete your personal documents.

These are the same sorts of problems you'd have with a single username.  Thus, if using a single username with a publicly known password is not acceptable for these reasons, then allowing users to unlock each others' workstations must also not be acceptable for the same reasons.
0
 
AwinishCommented:
Perfect & detailed explanation,its time for revamping the policy & thats what the purpose of policy to make it things more easier & controlled.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 10
  • 8
  • 7
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now