Register

Forgot Password

Site FAQ

Home > IT Answers > Storage > Allow regular user to unlock screensaver lock...

AdminGurl

0 pts.

Allow regular user to unlock screensaver locked computer

Disaster Recovery, Networking, Network management software, Security, Identity & Access Management, Digital certificates, provisioning, Biometrics, Security Program Management, Compliance, Risk management, Policies, Desktop management applications, Systems management software, CRM, DataCenter, Single sign-on, Security tokens

We have the problem that in a multiuser environment users either lock their computers, or have the screensaver automatically lock it, and leave the workstation. As a result, nobody else can use that computer. By default, only the current user or an adminstrator can unlock the computer. I would like to allow select users who don't have administrator access to unlock the computer.

Is there a group policy or Windows Security setting that would allow some of my users (i.e. non administators) to unlock a workstation?

So far all I can find is a third party application ( Unlock Administrator http://www.e-motional.com/ULAdmin.htm ) This program seems to do the trick but I obviously would prefer to do this through GP.

Any suggestions?

ASKED: Oct 4, 2006 1:31 AM GMT

UPDATED: November 24, 2007 5:30:02 PM GMT

RELATED QUESTIONS

GeorgeBonner

0 pts.

Answer Wiki:

Since security is obviously NOT and issue with theses users or machines and their data, why bother having separate logins or even screensavers ?

If security is an issue, then you cannot allow what youi want to happen.

Last Wiki Answer Submitted: Oct 4, 2006 4:52 AM (GMT) by GeorgeBonner

0 pts.

To see other answers submitted to the Answer Wiki View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Oct 4, 2006 9:08 AM (GMT)

I presume you are in a ‘domain’ type network.
Windows 2000/XP workstations, and people log in with a user ID and LOCAL ‘power user’ permissions.

Set the local administrator account to something simple like the name of the normal user (all one word and all lower case). The local admin account has NO network access.

Audit user permissions and if someone tries to elevate their login permissions - ‘Fire them.’

1st time someone complains they ‘lost’ work when the system was overridden the policy of save often becomes easier to enforce.

Howard2nd

0 pts.

POSTED: Oct 4, 2006 9:30 AM (GMT)

Hello,

You can accomplish your goal through Group Policy => Restricted Groups (Computer Configuration => Windows Settings => Security Settings => Restricted Groups). You can use Restricted Groups in GP to assign a user or user group to the ‘local administrators’ group on your workstations which will then give them the power to unlock a locked computer without granting them extended permissions at the domain level.

Note that these users will need to unlock a locked computer by logging on to the local computer and not the domain as you would if you were a domain admin because their permissions are set on the local level only.

Also keep in mind that anytime you force a user off such as is the case when an admin unlocks another users locked computer, any work that the current user has open will not be saved. With this in mind you may consider training your ‘local admins’ to use discretion before forcing users off of a locked computer.

Good luck!

petroleumman

0 pts.

POSTED: Oct 4, 2006 8:57 PM (GMT)

#3 answer noted the important thing — if you let another account adminstratively overrride a locked machine, important work can be lost. At least on Windows 2000. On XP you could think about able allowing multiple logins (user switching) by GPO (don’t beat if that is wrong in domain environment I just blew a brain on alergies and a CCNA test today and am quite numb).

However, I suggest you consider the following for any 2000 workstations. Use GPO to disable normal Cntl-Alt-Delete locking and normal screensavers. Then replace use of the standard or any end user screen savers with one the custom screen savers that allow alternate locking and also allow you more choices about accounts or simply passwords taht can unlock the screensaver. I won’t guarantee that you don’t have to look up registry info for specifying a specific custom screensaver.

I would be more specific but it has been 3 years since the issue came up for me and available screen savers and download sites change.

mortree

0 pts.

POSTED: Nov 24, 2007 5:30 PM (GMT)

You might consider using the user fast switching option in Windows XP and disable the screen saver lock feature.

Wrobinson

5,610 pts.

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2012, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags