Solved

Give some domain user access to unlock the PC

Posted on 2010-11-07
28
423 Views
Last Modified: 2012-05-10

I am working in a hospital and we have 300 PC. Some computer in ICU and some area the user leave the computer, after time the computer will be locked. When an another user want to use the PC he is doing one of two thing
1)      force to shut down the PC( some PC will have OS error after this action)
2)      or call the user (some time the user left hospital)

How can I give some user access to unlock the PC to prevent this two action.
Because it is becoming a big problem in our hospital.

we are 2003 AD and PC is XP
0
Comment
Question by:AliQahtani
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
  • 7
  • +3
28 Comments
 
LVL 4

Expert Comment

by:Pro_
ID: 34082106
http://www.ensuretech.com/ or http://download.cnet.com/Mouselock/3000-2409_4-10073757.html are some options.

The only other option is to get users to logout properly, use a generic login / get users to connect to TS sessions on 1 PC etc
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34082107
Give those users local admin rights to pc or create one universal user per machine and just setup your apps so they need individual user credentials. Train users to make sure they are the user logged into apps.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34082118
Perhaps a screen saver that will log out the current user after 10 minutes or so...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Expert Comment

by:jodix2002
ID: 34082376
I think you can use something like this:
http://support.microsoft.com/kb/314999
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082495
we can not force to log out after time period, some time the nurse will work in one of the application and leave it because she need to see take care for one of the ICU patient and come back to continue her work.


the other thing the hospital have a medical college and the nurse and doctor change a lot in hospital.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082504
<!--[if gte mso 9]>       1024x768 <![endif]--><!--[if gte mso 9]>   Normal  0          false  false  false    EN-US  X-NONE  X-NONE                                                                          <![endif]--><!--[if gte mso 9]>                                                                                                                                                                                                                                                                                    <![endif]--><!--[if gte mso 10]><![endif]-->I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicy
loopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082507
I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicyloopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082585
the hospital policy is to have a screen saver and password protection.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082596
Disable only for ICU system as you have to give them local admin right to disable screensaver.
 
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082920
i discussed this solution with QA (Quality Assurance)  department they said you can not disable the screen save and password protection in these system.

the only thing that is not against the policy is to give them a right to unlock the PC.
i do not want to give the user local Admin access. i want to give them unlock access.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082980
Then this tool can do the trick.

http://www.e-motional.com/ULAdmin.htm
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34083205
is there another way to do it rather than using the tool?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34083229
Apart from making member of local admin group,disabling through loopback policy & tools, i can't think of anything more now..:)

Its your call now, coz something always comes with pros & cons. I can understand your dilemma due to QA, it happens as people fails there is in & out to achieve something.



0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34083556
Even an administrator can't unlock a PC; when an administrator enters his username/password at a locked PC it forcefully logs off the current user.  With Windows alone, the only two options are for the current user to enter his password, or for an administrator to forcefully log off the current user.
At a quick glance, it looks like http:#34082980 is your best bet.  I can't see any other way besides such a program that implements an alternative GINA.
The only other thing that comes to mind is to upgrade to Windows 7, which will allow multiple users to remain logged on simultaneously.
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34100702
can we give the user access to log off the user out from his session.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34100805
Again that will kill users session & any open files will be closed w/o saving the changes & to achieve all this still you require local admin membership access.

0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34101058
we agreed with user and the QA department if the user leave the ICU unite with out log off from the PC he will lose his work.
this way the user will save there work and log off from the PC regular.  
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34101207
Somewhere you have to compromise..
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34101992
You can use the WinExit screen saver, included with the Windows 2003 Resource Kit, to automatically logoff users after a period of inactivity.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en 
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34185797
there is a way to give the user access to log off the locked PC.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34187913
Care to enlighten us? How are you able to do that?
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34290378
sorry i made a type mistake

is there a way to give the user access to log off the locked PC?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34290416
Considerable solution has been given, apart from that, i can't think of anymore now.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34291291
No, as was already pointed out even an administrator can only forcefully log off the current user if the workstation is locked, and cannot simply unlock it.
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 400 total points
ID: 34300040
It's probably worth pointing out that even if you could allow users to unlock a workstation, without logging off the current user, that's very nearly (not quite, but almost) the same thing as creating a generic username and giving everyone the password to this one account - instead of giving each user their own personal login.

In both cases you won't be able to reliably track what user performed what actions, nor will their documents & files be protected/private.
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 100 total points
ID: 34300051
Single user-name & password to multiple guys can be really a threat & almost impossible to track & its very much inviting more problems..:)
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 400 total points
ID: 34300108
Agreed - that's kind of my point.  I think either approach (either a single username, or allowing users to unlock another's workstation) is a bad idea and a different avenue altogether should be pursued.

Imagine you log onto a workstation, and walk away without logging off - allowing it to lock.  Then I walk up to the same computer, and unlock it without logging you off.  Then I delete some database records; the logs will show that Awinish modified the database, not tgerbert.  I could also read your email (probably), and modify/delete your personal documents.

These are the same sorts of problems you'd have with a single username.  Thus, if using a single username with a publicly known password is not acceptable for these reasons, then allowing users to unlock each others' workstations must also not be acceptable for the same reasons.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34300128
Perfect & detailed explanation,its time for revamping the policy & thats what the purpose of policy to make it things more easier & controlled.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question