Solved

Give some domain user access to unlock the PC

Posted on 2010-11-07
28
389 Views
Last Modified: 2012-05-10

I am working in a hospital and we have 300 PC. Some computer in ICU and some area the user leave the computer, after time the computer will be locked. When an another user want to use the PC he is doing one of two thing
1)      force to shut down the PC( some PC will have OS error after this action)
2)      or call the user (some time the user left hospital)

How can I give some user access to unlock the PC to prevent this two action.
Because it is becoming a big problem in our hospital.

we are 2003 AD and PC is XP
0
Comment
Question by:AliQahtani
  • 10
  • 8
  • 7
  • +3
28 Comments
 
LVL 4

Expert Comment

by:Pro_
Comment Utility
http://www.ensuretech.com/ or http://download.cnet.com/Mouselock/3000-2409_4-10073757.html are some options.

The only other option is to get users to logout properly, use a generic login / get users to connect to TS sessions on 1 PC etc
0
 
LVL 8

Expert Comment

by:ShareefHuddle
Comment Utility
Give those users local admin rights to pc or create one universal user per machine and just setup your apps so they need individual user credentials. Train users to make sure they are the user logged into apps.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
Comment Utility
Perhaps a screen saver that will log out the current user after 10 minutes or so...
0
 
LVL 3

Expert Comment

by:jodix2002
Comment Utility
I think you can use something like this:
http://support.microsoft.com/kb/314999
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
we can not force to log out after time period, some time the nurse will work in one of the application and leave it because she need to see take care for one of the ICU patient and come back to continue her work.


the other thing the hospital have a medical college and the nurse and doctor change a lot in hospital.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
<!--[if gte mso 9]>       1024x768 <![endif]--><!--[if gte mso 9]>   Normal  0          false  false  false    EN-US  X-NONE  X-NONE                                                                          <![endif]--><!--[if gte mso 9]>                                                                                                                                                                                                                                                                                    <![endif]--><!--[if gte mso 10]><![endif]-->I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicy
loopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
I would suggest create new OU, move the ICU system into new OU.
Create new GPO, configure loopback policy, enable disabling screen saver option  & link it to new OU, instead of giving user interference or fiddle with system.

Computer Configuration/Administrative Templates/System/GroupPolicyloopback policy Enabled  


User configuration/Administrative templates/control panel/display

Screensaver                                            Disabled
Password protect the Screensaver    Disabled
Screensaver time out                            Disabled

http://grouppolicy.editme.com/Loopback
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
the hospital policy is to have a screen saver and password protection.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Disable only for ICU system as you have to give them local admin right to disable screensaver.
 
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
i discussed this solution with QA (Quality Assurance)  department they said you can not disable the screen save and password protection in these system.

the only thing that is not against the policy is to give them a right to unlock the PC.
i do not want to give the user local Admin access. i want to give them unlock access.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Then this tool can do the trick.

http://www.e-motional.com/ULAdmin.htm
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
is there another way to do it rather than using the tool?
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Apart from making member of local admin group,disabling through loopback policy & tools, i can't think of anything more now..:)

Its your call now, coz something always comes with pros & cons. I can understand your dilemma due to QA, it happens as people fails there is in & out to achieve something.



0
 
LVL 33

Expert Comment

by:Todd Gerbert
Comment Utility
Even an administrator can't unlock a PC; when an administrator enters his username/password at a locked PC it forcefully logs off the current user.  With Windows alone, the only two options are for the current user to enter his password, or for an administrator to forcefully log off the current user.
At a quick glance, it looks like http:#34082980 is your best bet.  I can't see any other way besides such a program that implements an alternative GINA.
The only other thing that comes to mind is to upgrade to Windows 7, which will allow multiple users to remain logged on simultaneously.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
can we give the user access to log off the user out from his session.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Again that will kill users session & any open files will be closed w/o saving the changes & to achieve all this still you require local admin membership access.

0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
we agreed with user and the QA department if the user leave the ICU unite with out log off from the PC he will lose his work.
this way the user will save there work and log off from the PC regular.  
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Somewhere you have to compromise..
0
 
LVL 33

Expert Comment

by:Todd Gerbert
Comment Utility
You can use the WinExit screen saver, included with the Windows 2003 Resource Kit, to automatically logoff users after a period of inactivity.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
there is a way to give the user access to log off the locked PC.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
Comment Utility
Care to enlighten us? How are you able to do that?
0
 
LVL 3

Author Comment

by:AliQahtani
Comment Utility
sorry i made a type mistake

is there a way to give the user access to log off the locked PC?
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Considerable solution has been given, apart from that, i can't think of anymore now.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
Comment Utility
No, as was already pointed out even an administrator can only forcefully log off the current user if the workstation is locked, and cannot simply unlock it.
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 400 total points
Comment Utility
It's probably worth pointing out that even if you could allow users to unlock a workstation, without logging off the current user, that's very nearly (not quite, but almost) the same thing as creating a generic username and giving everyone the password to this one account - instead of giving each user their own personal login.

In both cases you won't be able to reliably track what user performed what actions, nor will their documents & files be protected/private.
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 100 total points
Comment Utility
Single user-name & password to multiple guys can be really a threat & almost impossible to track & its very much inviting more problems..:)
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 400 total points
Comment Utility
Agreed - that's kind of my point.  I think either approach (either a single username, or allowing users to unlock another's workstation) is a bad idea and a different avenue altogether should be pursued.

Imagine you log onto a workstation, and walk away without logging off - allowing it to lock.  Then I walk up to the same computer, and unlock it without logging you off.  Then I delete some database records; the logs will show that Awinish modified the database, not tgerbert.  I could also read your email (probably), and modify/delete your personal documents.

These are the same sorts of problems you'd have with a single username.  Thus, if using a single username with a publicly known password is not acceptable for these reasons, then allowing users to unlock each others' workstations must also not be acceptable for the same reasons.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Perfect & detailed explanation,its time for revamping the policy & thats what the purpose of policy to make it things more easier & controlled.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now