Allow regular user to unlock screensaver locked computer

Status
Not open for further replies.

MartyG

Distinguished
May 4, 2008
2
0
18,510
We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer.

Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation?

So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP.

Note: I don't want to let just anyone to unlock the computer - I want to be able to select only some users.

Any suggestions?
 

boonality

Distinguished
Mar 8, 2008
42
0
18,590
That's a tough one. The best method to deploy through GP might be to set workstations to log users off after say 30 minutes of inactivity.

4745454b, that is a very bad idea in most environments.
 

Kaldor

Distinguished
Jul 13, 2006
44
0
18,580
My AD stuff is a little fuzzy. But couldn't you build a user profile that would have rights to do this stuff, like a superuser account? Another possibility is to give say the supervisor a regular production login and a admin login. This is a viable option, because you can track exactly what that admin login is doing easily. We use this system at work on the helpdesk for level 1 and 2 support. I have a regular login, and an admin login. I do 90% of my work in regular production, but can remote in and do lots of other stuff using my admin account using a "run as admin" program if need be.
 

4745454b

Distinguished
Moderator
Apr 29, 2006
605
0
19,210
4745454b, that is a very bad idea in most environments.

No worse then what he wants already. If you trust them enough to give them the ability to unlock a computer, why not go all the way? Even if there was a way to do what the OP wants, harm could still come. Are these select few trusted or not?
 

uguv

Distinguished
Jan 2, 2008
4
0
18,510
I don't think that's a GPO setting. The closest I can find is to force logoff after so many minutes idle. There's always the old "cold boot" method!
 

zenmaster

Distinguished
Feb 21, 2006
41
0
18,590
You need to use a 3rd party solution (That is why it exists) or try one of the other solutions mentioned. Such as making them an administrator or enabling some type of auto-logoff function. I believe MS even has a screen-saver that will do that function.
 

zenmaster

Distinguished
Feb 21, 2006
41
0
18,590
And the idea of giving admin rights to a PC is not necessarily bad.

There are many views on the topic and often depends on how you have your stuff setup.

I know someplaces who give eveyone admin rights, but anytime there is an issue they just blow down a new image remotely in about 10minutes that is customized with their software and their personal configurations.

I know other places that lock it down tight so that the machines rarely break and never need imaging.

Heck some places even have a Read/Only Local Drive with the device being primarily a "Terminal" device.
 

4745454b

Distinguished
Moderator
Apr 29, 2006
605
0
19,210


I knew that was true for my home machines, I wasn't sure if it would be different with a Domain server. (I didn't think it would, but I didn't want to say something and look like an idiot.) When the admin puts in his password, it logs the current user out, then logs into the admin account.
 

MartyG

Distinguished
May 4, 2008
2
0
18,510



So far the best solution would be to automatically log the user off. Unfortunately, if the same user returns, their session is lost.

I have seached for an MS screensaver that allows you to unlock other users and can't find one. I have only found WinExit.

Thanks to all for all of you helpful feedback.
 

hollett

Distinguished
Jun 5, 2001
13
0
18,560
We have toyed with a similar problem for a while.

Our solution was to give the call centre supervisors a second account so a user called USER1234 also has a second account called USER1234a the second account is in a domain group that is a member of the local admin group but also denied access to interactive logons.

The result of this was to enable the users to log people off using the 'admin' account but not allow them to log on with the account and do any damage.
 

rgarito

Distinguished
Jul 15, 2009
1
0
18,510
I know this is an old thread, but I have found a solution in a third-party screen saver specifically designed for this purpose.

Screen Pass:
https://mmm1408.sanjose14-verio.com/bgrove/workstation-lock-autologoff/enforced-desktop-lock.htm

Amongst other features, it supports administrative unlock (vs logout), timed logout, group policy administration, select users being able to unlock (vs logout) via active directory groups, etc.

We have been testing this with a few of our clients and it looks really good....
 

JoshTay

Honorable
Feb 10, 2012
1
0
10,510



This is now an ancient thread, but would this work?:

I have not tried this, but it might be worth testing.
Create a local user and give it admin rights. Then in group policy, under User Rights, deny the account from logging on locally.
Share this account, so someone could use it to log off the current user, but not actually log on with admin rights.
Then the user could logon with their own account.
thoughts?
 
Status
Not open for further replies.