Unlock workstation without closing session

[sue_brighton]

For WinNT, Win2000, and WinXP, when a workstation is locked, nobody but the person who locked that station (not even an admin) can unlock the station. When an administator tries to unlock the station, the session will close immediately shutting down all the applications that are currently running on the system. This often poses a problem for us. We often see yellow stickies asking people not to touch the system. Shutting down someones system is simply not an option.

This does not make any sense to me! This, in effect gives a regular user more power than an administrator who should have absolute control over the system.

Ideally, as an administrator, I would like to be able to truely unlock the system. That is, unlock the system without closing the session.

Anyone know how or even if this is possible?

Sue

[phishphreek]

AFAIK, nope. Another user can't unlock it without logging that user off.

However, you can use a remote desktop tool.

Windows remote desktop will also sign the user off... however... vnc won't!
If you configure it properly, they'll never even know you're watching/looking at the desktop.

Check out vnc @ http://www.realvnc.com/

There are others out there... I just suggested vnc because its free.

If you don't want to do that then... look into remote tools like pstools.

Pretty nice little set of tools.

PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsKill - kill processes by name or process ID
PsInfo - list information about a system
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)

http://www.sysinternals.com/ntw2k/fr.../pstools.shtml

The windows resource kit also has some good scripts/programs that can help you find out info about a remote system.

http://www.microsoft.com/windowsserv...s/default.mspx
http://www.petri.co.il/download_free_reskit_tools.htm

If you buy the resource kit book, you get many many more tools.

[MURACU]

From a security outlook it makes good sense. Imagine if that wasnt the case a system admin who is not happy for whatever reason. Using a Remote desktop style software when his boss is in a meeting he could unlock the bosses computer and start sending e-mails using the bosses account.

In my experiance most remote destop tools wont really help you either if what you want to do is back up the users work before a reboot.
they fonction normally in one of two ways under windows.
Either they connect you to the machine using the session that is active. this means that you can see what the users sees and preform all the standard operations as if you were in front of the machine but if the post is locked locally you have the same problem.
Or else they connect in a console mode like a terminal server. the problem is all the sessions are totaly independant of each other so you cant see what the other people connected have launched.

Edit the_JinX I edited this post to make it read a bit better. If the admin could unlock the sessions of standard users you would get the situation mentioned above.

[phishphreek]

Either they connect you to the machine using the session that is active. this means that you can see what the users sees and preform all the standard operations as if you were in front of the machine but if the post is locked locally you have the same problem.

Thats the beauty of VNC. You can have multiple sessions and still log into the machine even though the desktop may be locked on one session, it won't on another. I'm not sure if this is true with the m$ client... I've only used it on *nix clients.

[hellforgedangel]

phishphreek80, How would you go about configuring VNC properly?

I know when i was on work experiance we used VNC to remote control the servers and if the were locked then it would just bring up the unlock dialog box for us and we had to unlock them remotely. So if a user had locked their work station it would be the same as logging on localy like MURACU said.

sue_brighton, Unfortunatly i do not know how to do this but maby some googleing will turn answers up, I know that you can disable the windows lock in at least win2000 so i would have thought it would work across the board. You could prehaps disable the windows lock and then get a third party program to allow users to lock their desktops but ensure you find one with some kind of override, Or failing that make one

[phishphreek]

hellforgedangel: Not quite sure for m$. I've only used it on linux.

It creates multiple x windows desktop sessions.

Let me mess with the windows version a bit today. I might not be able to be done on m$.
Like you all are saying.

I've been wrong before... several times.

[the_JinX]

<off-topic>

Originally posted here by MURACU
Using a Remote desktop style software when his boss is in a meeting he could unlock the bosses computer and start sending e-mails using the bosses account.

That would be one incompetent admin..
since evryone can send emails from anybody elses acount..

leave me your mail addy and I'll send you a nice worm from w.gates@microsoft.com or would you prefer a pr0n mail from g.w.bush@whitehouse.gov
</off-topic>

I'm using VNC at work, and I don't think the windows version can manage multi-sessions (like the linux version does)
Because the host os (windows) is not a real multi-user operating system..

[slarty]

I developed a tool which allows you to unlock the workstation as administrator without logging the user off.

It's currently at the "proof-of-concept" stage and only tested on Windows 2000. The current program simply has a timer, waits for a predetermined interval, then unlocks the local workstation. However I could be persuaded to make a version which works remotely over the network - which is a relatively simple matter.

If you want to persue this further please PM me.

Cheers

Slarty

[slarty]

Oh yes one other thing I should mention...

VNC server works completely differently on Windows than it does on Linux (X). On Linux it creates its own X server which can log on independently. On Windows it simply mirrors the desktop.

If the console desktop is locked, VNC cannot unlock it.

Slarty

[MURACU]

the_JinX
I edited my post above so it is clearer.

As for VNC I think that on a windows system you can only connect one session at a time. I know that with windows 2003 server you can use remote desktop to open a number of different sessions on the same server.