Allow regular user to unlock screensaver locked computer

pts.
Tags:
Biometrics
Compliance
CRM
DataCenter
Desktop management applications
Digital certificates
Disaster Recovery
Identity & Access Management
Network management software
Networking
Policies
provisioning
Risk management
Security
Security Program Management
Security tokens
Single sign-on
Systems management software
We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer. Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation? So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP. Any suggestions?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Since security is obviously NOT and issue with theses users or machines and their data, why bother having separate logins or even screensavers ?

If security is an issue, then you cannot allow what youi want to happen.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Howard2nd
    I presume you are in a 'domain' type network. Windows 2000/XP workstations, and people log in with a user ID and LOCAL 'power user' permissions. Set the local administrator account to something simple like the name of the normal user (all one word and all lower case). The local admin account has NO network access. Audit user permissions and if someone tries to elevate their login permissions - 'Fire them.' 1st time someone complains they 'lost' work when the system was overridden the policy of save often becomes easier to enforce.
    30 pointsBadges:
    report
  • Petroleumman
    Hello, You can accomplish your goal through Group Policy => Restricted Groups (Computer Configuration => Windows Settings => Security Settings => Restricted Groups). You can use Restricted Groups in GP to assign a user or user group to the 'local administrators' group on your workstations which will then give them the power to unlock a locked computer without granting them extended permissions at the domain level. Note that these users will need to unlock a locked computer by logging on to the local computer and not the domain as you would if you were a domain admin because their permissions are set on the local level only. Also keep in mind that anytime you force a user off such as is the case when an admin unlocks another users locked computer, any work that the current user has open will not be saved. With this in mind you may consider training your 'local admins' to use discretion before forcing users off of a locked computer. Good luck!
    0 pointsBadges:
    report
  • Mortree
    #3 answer noted the important thing -- if you let another account adminstratively overrride a locked machine, important work can be lost. At least on Windows 2000. On XP you could think about able allowing multiple logins (user switching) by GPO (don't beat if that is wrong in domain environment I just blew a brain on alergies and a CCNA test today and am quite numb). However, I suggest you consider the following for any 2000 workstations. Use GPO to disable normal Cntl-Alt-Delete locking and normal screensavers. Then replace use of the standard or any end user screen savers with one the custom screen savers that allow alternate locking and also allow you more choices about accounts or simply passwords taht can unlock the screensaver. I won't guarantee that you don't have to look up registry info for specifying a specific custom screensaver. I would be more specific but it has been 3 years since the issue came up for me and available screen savers and download sites change.
    0 pointsBadges:
    report
  • Wrobinson
    You might consider using the user fast switching option in Windows XP and disable the screen saver lock feature.
    5,625 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following