[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Give some domain user access to unlock the PC

Posted on 2010-11-07
28
Medium Priority
?
441 Views
Last Modified: 2012-05-10

I am working in a hospital and we have 300 PC. Some computer in ICU and some area the user leave the computer, after time the computer will be locked. When an another user want to use the PC he is doing one of two thing
1)      force to shut down the PC( some PC will have OS error after this action)
2)      or call the user (some time the user left hospital)

How can I give some user access to unlock the PC to prevent this two action.
Because it is becoming a big problem in our hospital.

we are 2003 AD and PC is XP
0
Comment
Question by:AliQahtani
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
  • 7
  • +3
28 Comments
 
LVL 4

Expert Comment

by:Pro_
ID: 34082106
http://www.ensuretech.com/ or http://download.cnet.com/Mouselock/3000-2409_4-10073757.html are some options.

The only other option is to get users to logout properly, use a generic login / get users to connect to TS sessions on 1 PC etc
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34082107
Give those users local admin rights to pc or create one universal user per machine and just setup your apps so they need individual user credentials. Train users to make sure they are the user logged into apps.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34082118
Perhaps a screen saver that will log out the current user after 10 minutes or so...
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 3

Expert Comment

by:jodix2002
ID: 34082376
I think you can use something like this:
http://support.microsoft.com/kb/314999
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082495
we can not force to log out after time period, some time the nurse will work in one of the application and leave it because she need to see take care for one of the ICU patient and come back to continue her work.


the other thing the hospital have a medical college and the nurse and doctor change a lot in hospital.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082504
<!--[if gte mso 9]>       1024x768 <![endif]--><!--[if gte mso 9]>   Normal  0          false  false  false    EN-US  X-NONE  X-NONE                                                                          <![endif]--><!--[if gte mso 9]>                                                                                                                                                                                                                                                                                    <![endif]--><!--[if gte mso 10]><![endif]-->I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicy
loopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082507
I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicyloopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082585
the hospital policy is to have a screen saver and password protection.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082596
Disable only for ICU system as you have to give them local admin right to disable screensaver.
 
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34082920
i discussed this solution with QA (Quality Assurance)  department they said you can not disable the screen save and password protection in these system.

the only thing that is not against the policy is to give them a right to unlock the PC.
i do not want to give the user local Admin access. i want to give them unlock access.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34082980
Then this tool can do the trick.

http://www.e-motional.com/ULAdmin.htm
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34083205
is there another way to do it rather than using the tool?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34083229
Apart from making member of local admin group,disabling through loopback policy & tools, i can't think of anything more now..:)

Its your call now, coz something always comes with pros & cons. I can understand your dilemma due to QA, it happens as people fails there is in & out to achieve something.



0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34083556
Even an administrator can't unlock a PC; when an administrator enters his username/password at a locked PC it forcefully logs off the current user.  With Windows alone, the only two options are for the current user to enter his password, or for an administrator to forcefully log off the current user.
At a quick glance, it looks like http:#34082980 is your best bet.  I can't see any other way besides such a program that implements an alternative GINA.
The only other thing that comes to mind is to upgrade to Windows 7, which will allow multiple users to remain logged on simultaneously.
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34100702
can we give the user access to log off the user out from his session.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34100805
Again that will kill users session & any open files will be closed w/o saving the changes & to achieve all this still you require local admin membership access.

0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34101058
we agreed with user and the QA department if the user leave the ICU unite with out log off from the PC he will lose his work.
this way the user will save there work and log off from the PC regular.  
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34101207
Somewhere you have to compromise..
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34101992
You can use the WinExit screen saver, included with the Windows 2003 Resource Kit, to automatically logoff users after a period of inactivity.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en 
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34185797
there is a way to give the user access to log off the locked PC.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34187913
Care to enlighten us? How are you able to do that?
0
 
LVL 3

Author Comment

by:AliQahtani
ID: 34290378
sorry i made a type mistake

is there a way to give the user access to log off the locked PC?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34290416
Considerable solution has been given, apart from that, i can't think of anymore now.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34291291
No, as was already pointed out even an administrator can only forcefully log off the current user if the workstation is locked, and cannot simply unlock it.
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 1600 total points
ID: 34300040
It's probably worth pointing out that even if you could allow users to unlock a workstation, without logging off the current user, that's very nearly (not quite, but almost) the same thing as creating a generic username and giving everyone the password to this one account - instead of giving each user their own personal login.

In both cases you won't be able to reliably track what user performed what actions, nor will their documents & files be protected/private.
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 400 total points
ID: 34300051
Single user-name & password to multiple guys can be really a threat & almost impossible to track & its very much inviting more problems..:)
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 1600 total points
ID: 34300108
Agreed - that's kind of my point.  I think either approach (either a single username, or allowing users to unlock another's workstation) is a bad idea and a different avenue altogether should be pursued.

Imagine you log onto a workstation, and walk away without logging off - allowing it to lock.  Then I walk up to the same computer, and unlock it without logging you off.  Then I delete some database records; the logs will show that Awinish modified the database, not tgerbert.  I could also read your email (probably), and modify/delete your personal documents.

These are the same sorts of problems you'd have with a single username.  Thus, if using a single username with a publicly known password is not acceptable for these reasons, then allowing users to unlock each others' workstations must also not be acceptable for the same reasons.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34300128
Perfect & detailed explanation,its time for revamping the policy & thats what the purpose of policy to make it things more easier & controlled.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question