none
How to Unlock Windows 7 Enterprise when another user has locked the screen?

    Pregunta

  • I had a simple question about Windows 7 Enterprise. I am a computer technician in a corporation serviceing 7000+ PC's. In the past (on Windows XP Professional) when a user would lock the computer we as administrators could unlock the computer and force the log off of the user. Can this feature or one similar be applied In Windows 7 Enterprise if Fast User switching is turned off?
    • Cambiado Carey FrischMVP, Moderator martes, 05 de abril de 2011 15:58 Moved to more appropriate forum category (From:Windows Vista Desktop UI)
    viernes, 14 de mayo de 2010 15:07

Todas las respuestas

  • Hi,

    Yes, there is significant changes to user switch comparing Windows XP & Vista or 7.

    Windows 7 & Vista offers mutli login for users within domain and to log off any user: you have to login to a computer using administrator account - open task manger - users tab - from the panel you will get access to manage log in users.

    Bart


    Bart Kurowski IT Support Analyst, MCP, MCTS, MCITP, MCAS
    viernes, 21 de mayo de 2010 21:33
  • Yes, but how do you log in to the already locked PC when the boss has deemed the snazzy new "fast user switching" and RDP verboten? Is there no way to unlock a locked desktop short of cutting power??

    martes, 14 de diciembre de 2010 20:47
  • I too have this same question...

    In our environment we have "fast user switching" disabled and our workstations set to lock after 15 minutes (for security)...
    On Win7 workstations that are shared by multiple employees, the previous user forgets to log off when they walk away, and the next user is unable to login. The only options we currently have is to hold the power button in to shut down the workstation...

    We need to be able to unlock (force logoff) a workstation, like we did with Windows XP...

    Anybody got any ideas on how to do this with "fast user switching" disabled?

    Thanks,
    Justin

    jueves, 24 de marzo de 2011 20:44
  • I am having the same issue and as yet am unable to find a solution other than resetting the machine as you say... which is obviously not a good thing. There must be a way to do this as this must be occurring all over the place. If I find something I'll post it up..

    Cheers

    miércoles, 30 de marzo de 2011 8:44
  • I developed a possible solution to this problem which at the moment is undergoing MS Review. I'll keep you updated on the progress. I already tested it in our infrastructure and it works.

    miércoles, 18 de mayo de 2011 10:32
  • Hi, i'm in need of this too.

    Windows 7 Pro, domain joined with fast user switching disabled. If you need anymore testers for your solution i'd be happy to volunteer.

    viernes, 20 de mayo de 2011 6:47
  • with a client desktop locked-what do you get with a Alt+W?

     

    viernes, 20 de mayo de 2011 23:07
  • with a client desktop locked-what do you get with a Alt+W?

    On Windows 7 Enterprise x64, [Alt]+[W] does nothing at:
    - the "press Ctrl+Alt+Del to unlock" screen,
    - the "enter current user password" screen, or
    - on the "other credentials" screen (only viewable on laptops with smart card readers)

    What did you think [Alt]+[W] would do?

    Justin

    martes, 24 de mayo de 2011 17:37
  • Any word on the solution yet?
    martes, 24 de mayo de 2011 20:47
  • Yes, we're making progress with the review process. Currently, the solution is being reviewed by the Design and Product group teams. My hope is that they are going to "officialize" the solution and make a hotfix/patch/feature pack using the same technologies themselves. This way, every admin around the world could use the solution and be sure to use Microsoft sanctioned code.

    If this process "fails" and all i get is "it's ok to do it this way, but we won't officially embrace it" or something along these lines, i'll upload it somewhere myself (including source of course). But until then, i'll keep it to myself.

    miércoles, 25 de mayo de 2011 6:45
  • I have an OK from Microsoft that the proposed solution is within "Windows" design boundaries. I uploaded the compiled x86 and x64 binaries to http://www.filefactory.com/file/ccb8b53/n/AdministrativeUnlock.zip. Batch Files for easy (de)installation is included. Just use "Run as Administrator" with the Batch file for your platform, the lock the machine. When trying to unlock, you should have a "Other Credentials" Button. Click it, select "Administrative Unlock", then enter username and password of a user which is in the local Administrator Group.

     

    Please provide feedback here, there's no other place i could use.

     

    • Propuesto como respuesta Justin007 lunes, 20 de junio de 2011 14:07
    viernes, 10 de junio de 2011 7:31
  • Please use your skydrive public folder- what the #@#@^$% is that link?
    viernes, 10 de junio de 2011 20:03
  • Ok, made a skydrive profile and shared a folder with the public. you should be able to get it there - http://cid-9363831414c526a5.office.live.com/self.aspx/Public/AdministrativeUnlock.zip
    • Propuesto como respuesta Master ALF jueves, 16 de junio de 2011 10:52
    viernes, 10 de junio de 2011 21:35
  • Works great thanks.
    lunes, 13 de junio de 2011 19:52
  • Oliver, do you have a similar solution for Windows 7 Professional?  I tried the solution you created for Enterprise on a W7 Pro box with no success.

    martes, 14 de junio de 2011 17:58
  • What kind of problem are you experiencing?
    For Installation, make sure you choose the batch-file for the right architecture (x86 / x64) and also make sure to start the batch file by Right-Clicking it and then selecting "Run as Administrator...". Even if you are logged in as local admin, you have to start it that way or it won't work. To my knowledge, there should be no difference between Win7 Enterprise and Win7 Professional regarding this solution (using a custom Credential Provider), so i think you're doing something wrong along the way.

    martes, 14 de junio de 2011 18:11
  • Thanks Oliver F!!  I have been looking for a solution on this myself.  I'll give it a shot tomorrow.  Although, I got a couple questions though.  First is when you refer to "start the batch file" are you referring to "Install_x86.cmd" (for a 32bit Windows 7 Prof machine)?  The other question is when you say Microsoft has given you an OK, does this mean that Microsoft will "make a hotfix/patch/feature pack using the same technologies themselves"?  Again, Thanks for the help!!
    martes, 14 de junio de 2011 23:43
  • That is correct, i'm talking about the two Install-Batch Files, which would be "Install_x86" for a 32-Bit Windows 7 Machine. The decision whether Microsoft will do something themselves or not is still up in the sky, but they gave me the "OK" to use it because in their review there was nothing to complain about (regarding the program code and the use of API calls, which could've gone against the basic design guidelines but did not).
    miércoles, 15 de junio de 2011 6:10
  • Just put it on my Windows 7 Professional machine and it worked great!!  The only thing I found was I needed to use the local administrator account for the computer for it to work.  The domain administrator account didn't work.  Great solution though!!  Thanks again Oliver F!!
    miércoles, 15 de junio de 2011 12:33
  • You need to use an account that is a member of the machine's local "Administrators" group. Whether that is a domain user or local user is irrelevant.
    miércoles, 15 de junio de 2011 13:18
  • Thanks!!!!

    We have been looking for a solution since the Win7-release in june 2009.

    This DLL-fix works fine, and easy to install/deploy to our computers... Great work!

     


    jueves, 16 de junio de 2011 10:22
  • Ok, made a skydrive profile and shared a folder with the public. you should be able to get it there - http://cid-9363831414c526a5.office.live.com/self.aspx/Public/AdministrativeUnlock.zip

    Works great. Thanks for the sulution

     

    / Magnus

    jueves, 16 de junio de 2011 10:58
  • At this point is the unofficial download the only option that's going to be available, or will it eventually be rolled into a hotfix from ms?
    jueves, 16 de junio de 2011 16:06
  • @Gai-jin --- I'm waiting and wondering the same thing. My organization, with 2000+ Windows 7 Pros, is having this same issue. Right now the solution is hard shut-downs all over the campus... not exactly an elegant solution.

    I would go with Oliver F's solution, but unfortunately corporate policies don't allow. I really need an official Microsoft solution.

    Anyone heard anything?

     


    System Admin and Resident Sandcastle Builder :) www.Sandcastling.com
    miércoles, 06 de julio de 2011 18:43
  • As a workaround we’re using remote desktop to logoff computers with locked users.

    Our corporate security policy doesn't allow Oliver’s program and I’m pretty sure PCI doesn’t either. We would need something official from MS.

    miércoles, 06 de julio de 2011 23:00
  • I don't know why, but using RDP never entered my mind. Brilliant workaround, Ross. 

    Which leads me to think (sometimes dangerous that can be) that one of Mark Russinovich's infamous PSTools could be of help. Particularly this command:

    psshutdown \\RemoteSystem -o    

    Despite how the command looks -- shutting down the system -- the '-o' switch instructs the system to only "Logoff the console user"... and stop there. I'll have to give it a try, but it should work.

    Still hoping MS will come through with a tweak. It is so hard to believe that such a relatively simple, and helpful thing could have been intentionally removed... with no way to change via GPO.

     


    System Admin and Resident Sandcastle Builder :) www.Sandcastling.com
    jueves, 07 de julio de 2011 11:53
  • I don't believe something official will be available within a reasonable timeframe. Meanwhile, would your corporate policies allow for you to compile a solution yourself? It's really not that complicated a program, as it's essentially a Credential Provider that logs a user off upon entering your credentialy instead of unlocking the screen/logging you on.
    lunes, 11 de julio de 2011 6:08
  • Hello Oliver,

    thank you for providing your solution. You mentioned something about recompiling. Can you provide the sourcecode?

     

    Thanks in advance, Th0u

    lunes, 11 de julio de 2011 12:23
  • I added the source files to my public skydrive folder, you can grab it here: https://skydrive.live.com/?cid=9363831414c526a5&sc=documents&uc=1&id=9363831414C526A5%21105. You will need Visual Studio 2010 and the Windows SDK (v7.0A) to be able to compile it. I hope it'll work this way.. if not, i may have to include all the external dependencies in the project, which i'd rather not do.
    lunes, 11 de julio de 2011 12:31
  • Thank you.

    Great job.

    lunes, 11 de julio de 2011 14:55
  • I'll add my thanks for your providing the tool, and being generous enough to provide it the source.  As with some (too few) other shops, there's no way I could use a binary from any source other than an identifiable corporation, but with the source that isn't as large an issue.

    One question: What is the copyright status of the files? Based on this thread you're the author, and they were not a work-for-hire, but each of the files in the source ZIP file carries a Microsoft copyright notice (perhaps inserted during Microsoft's review?). My facility has a strong policy regarding IP and I need to be able to assure management that we have the legal right to use the programs. The CSample* files are distributed by Microsoft and aren't an issue but the others - the heart of the unlock function - are the problem.

    Thanks again for the tools.


    Joe Morris
    viernes, 05 de agosto de 2011 14:56
  • Where should this "Other Credential" button appear? I'm just testing this and I'm not seeing it anywhere.

    EDIT: I didn't run the .cmd file as Administrator so I was getting an access denied when it tried to copy the .dll file.

    viernes, 05 de agosto de 2011 19:40
  • The solution is based on a sample included in the Windows SDK. It's basically a partly rewritten Credential Provider Sample. This "should", but don't quote me on that, allow you to use it without restrictions. If you're unsure about the license, get in contact with Microsoft and ask about the Status of code included in the Windows SDKs. What files are you talking about that could be the problem, because i didn't add anything extra, the include files were added by VS2010 automatically and should be part of the Windows Operating System.
    domingo, 07 de agosto de 2011 9:04
  • You've answered my question; as long as the copyright notices are all from the SDK samples (which are clearly distributable) plus your changes there shouldn't be any problems from the IP people.  Your comment upthread about submitting it to Microsoft was the source of my concern.  (And thanks for the quick response!)

    Here's another question/request for you: how practical would it be to integrate normal (PKI-based) smartcard authentication with your code? My problem is that while I'm no stranger to system-level programming (I learned it on an IBM 7090 and a DEC PDP-1) I'm only marginally proficient with C++ and haven't worked with credential providers except to try (as a work in progress!) to figure out how the force-off code works. My organization's problem is that while we currently use normal userid/password authentication we will be moving to smartcard-based logon in the not-too-distant future and part of my job is to avoid introducing problems for smartcard users.

    A suggestion for readers who are implementing this on a kiosk system (or anything similar, such as a conference room machine): consider deleting the test for membership in the administrators group (i.e., in the IF statement testing bIsAdmin, always execute the true branch).  This will allow any user to force off a session that a previous kiosk user has impolitely failed to close.  It would be inappropriate to allow this on typical desktop systems but for systems used by the general user population it avoids calling out an administrator (or a forced power-off)...and I have little sympathy for someone who loses edits because they left a kiosk system locked.


    Joe Morris
    lunes, 08 de agosto de 2011 14:43
  • Hi Joe,

    I am sorry to say that i didn't dabble in the use of smartcards as of yet. I have no idea what API calls would be necessary, or rather, what happens if a user inserts a smartcard into the computer. You might want to check out the SDK documentation on this, or maybe even find a Credential Provider that is suitable for smartcards (there is a hardware sample credential provider in the Windows SDK) and try to insert my code at the appropriate place. Though, you shouldn't forget that if you were to do that, you'd have TWO additional providers installed, because obviously, you can't cram both methods combined in one Credential Provider (well, as far as i know you can't).

    Having had a short look at the Hardware Sample code in the sdk, it even seems the function where i did the changes would be unaffected by the methodology of credential input (makes sense this way, too), so it might be really easy to change that one around the same way. The only difference between HID-Input and Hardware-Input of credentials lies in the Input-Methodology, the authentication process would/should be essentially be the same. Hope that helps, i can't even try to develop that because i lack the infrastructure to test it.

    Your suggestion about unlocking machines w/o administrative privileges is suitable, but i'd propose adding a local user group on the systems (named appropriately, like "System Unlockers") and put the domain administrators into this group by default, and adding "everyone" on those kiosk systems. That way, you still have control over it and could even add certain non-Administrators on some PCs. Stupid me for not having thought about that before, would make more sense to check for either Administrator OR <insert group name here> membership. Oh well...

    martes, 09 de agosto de 2011 6:21
  • I also thank you for this.

    We use lenovo thinkpads and many of them have fingerprint readers which are also shimmed into the logon process.

    It appears that when I add this after the fingerprint reading software is installed, that it simply enable fast switching. When I click on other credientials, I get a logon screen and can log in directly. There is no logoff flash, I am signed right in.

    Also, I am able to use a non-admin user to sign on, rather than mandating an admin.

    Any thoughts?

    miércoles, 24 de agosto de 2011 21:57
  • Never mind. It was acting up because I didn't run the install script as Admin.

    Now that I've done that, it seem to be working fine.

    Thanks again. You have made me a hero to my boss.

    miércoles, 24 de agosto de 2011 22:32
  • This was a good idea SandcastlingRon but in my tests it only works if the console session is active (if that's the correct term). By that I mean, if the PC is locked this doesn't log off the user, though psshutdown states "Console logoff initiated on [pc name]". When the user was active in the console session the command kicked them right out.

    FYI - I've tested the custom DLL provided by Oliver F and it works very well. We're now trying to determine if it's truly legit and supported by MS.

    viernes, 23 de diciembre de 2011 17:59
  • Works great Oliver, thank you! We're going to have to get it signed off by management for use in our environment and I'm hoping this won't be too much of a problem.

    Any word on MS including the fix in a future Feature Pack or something?

    viernes, 23 de diciembre de 2011 18:11
  • And failing a (positive) response from MS, what do you say to moving the project to a better home?  As near as I can tell, the only way to find out about this very useful tool right now is if you just happen to bump into it in this one specific thread.

    While I don't envision a great deal of development effort (if any) will ever be necessary for this project, perhaps SourceForge.net would make sense?  It has CVS/SVN to keep track of the source code, a download area for the executable files, and the ability to make a web page that describes the thing.

    I thought about just taking what you had posted and creating a project there myself, but even if I put your name all over the place and links to this thread, it would still have felt like stealing your idea/work.

    viernes, 23 de diciembre de 2011 21:02
  • As an update, we're still in progress doing things with microsoft regarding this project. as much as i doubt that it will be included in a feature pack or something similar, i'll wait for this process to finish before doing anything else. here's hoping windows 8 reintroduces this feature out of the box ;)
    viernes, 23 de diciembre de 2011 22:25
  • Thank you for your creative solution Oliver. I was wondering if you could help me. I tried compiling your source code with Visual Studio 2010 SP1, but I'm getting the following errors:

    Error    1    error LNK2019: unresolved external symbol _LsaDeregisterLogonProcess@4 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    2    error LNK2019: unresolved external symbol _LsaLookupAuthenticationPackage@12 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    3    error LNK2019: unresolved external symbol _LsaConnectUntrusted@4 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    4    error LNK2019: unresolved external symbol __imp__CredPackAuthenticationBufferW@20 referenced in function "long __cdecl KerbInteractiveUnlockLogonRepackNative(unsigned char *,unsigned long,unsigned char * *,unsigned long *)" (?KerbInteractiveUnlockLogonRepackNative@@YAJPAEKPAPAEPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    5    error LNK2019: unresolved external symbol __imp__CredUnPackAuthenticationBufferW@36 referenced in function "long __cdecl KerbInteractiveUnlockLogonRepackNative(unsigned char *,unsigned long,unsigned char * *,unsigned long *)" (?KerbInteractiveUnlockLogonRepackNative@@YAJPAEKPAPAEPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    6    error LNK1120: 5 unresolved externals    C:\Users\user\Desktop\AdministrativeUnlock_Source\Debug\AdministrativeUnlock.dll    AdministrativeUnlock

    Do you know what the problem might be?

    martes, 03 de enero de 2012 18:11
  • do you have the windows sdk installed? seems like he can't find certain external dependencies. try to check the dependencies tree in the project viewer and/or reinstall the windows sdk (7.1 i believe).
    miércoles, 04 de enero de 2012 7:14
  • I'll bet you are doing a debug build.  In the configuration for debug, secur32.lib was omitted from the list of libraries.  Either change to release, or add the secur32.lib file.
    jueves, 05 de enero de 2012 4:13
  • LGS, you were right about me doing a debug build. I thought that might be the problem early on since it was a DLL and debugging didn't seem right, but I dismissed it and moved on to other possibilities. I've never worked with compiling DLLs before. Thank you both for your assistance.

    Hopefully Microsoft will bring back native support for this solution in the near future. Like others, I maintain computers at a university and people walking away and not logging off is a constant problem.

    jueves, 05 de enero de 2012 15:55
  • Do you have any kind of deadline in mind for how long you want to wait for "this process to finish?"

    For those who are keeping track:

    • This thread started: May 14, 2010
    • Oliver first mentions his solution: May 18, 2011
    • Oliver first posts his solution: June 10, 2011

    Depending on how you want to measure it, we've been waiting for MS for 8 or 9 months to "do something."  Seems like a long time to me.

    jueves, 02 de febrero de 2012 1:14
  • I have no idea how long it will take, but i thought i'd chime in with my thoughts regarding your offer to transfer the project to Sourceforge. I thought about doing that myself back when i first released it, buti cannot commit myself enough to actually doing it, so i'd be more than happy if you'd do it. As long as my name appears somewhere even once, that's more than fine by me. I didn't create this so that noone can use it, sharing is caring.

    So if you come around creating a Sourceforge project for this, please go ahead and do it. Just maybe leave a link to the project site here. Seeing as Windows 8 will be BETA soon and RTM later this year, i'm starting to wonder if we'll need to develop something similar AGAIN or if the functionality found it's way back into the core system. If we need to do it ourselves again, at least this time we'll be ready for a near 0-day release :)

    jueves, 02 de febrero de 2012 7:33
  • <sigh>

    SourceForge projects must be based on Open Source licences.  Looking at the license doc for the SDK (where most of this code came from), that doesn't appear to be possible.  In fact, MS's terms seem to intentionally and explicitly exclude OS licenses, even for code derived from their sample code, even if your code "adds significant primary functionality to it."

    So, unless someone reads these terms differently than I do, or unless someone is prepared to reproduce the functionality of these ~2,000 lines of code "inspired by, but not copying from" this sample, I don't see a way forward at SF.

    Maybe MS's CodePlex would be a better home?  Does anyone know what the rules are over there?

    sábado, 04 de febrero de 2012 9:02
  • Works great, very grateful.

    Rafael J López

    IT Support

    martes, 14 de febrero de 2012 19:52
  • Wow this thread had been running for a long time!

    There is a third party product that allows you to set which users (not necessarily admins) can unlock the system.  Have a look at Unlock Administrator

    • Propuesto como respuesta Amer Rana sábado, 25 de febrero de 2012 18:34
    • Votado como útil Amer Rana sábado, 25 de febrero de 2012 18:34
    jueves, 23 de febrero de 2012 16:11
  • Hi Dears,

    I'm also facing the same problem. I have forgot my password and now I have no access to reach or open the windows. I'm using windows XP 7, if there is any solution you have about this problem so please tell me because I've immediately need to open the windows for doing some important work about study. If there is any solution of anyone have about this problem so please mail me on this site amer.pu11@yahoo.com 

    thanks 

    sábado, 25 de febrero de 2012 18:46
  • You should give a look to UserLock.

    Among other features, this 3rd-party solution will allow you to remotely lock or logoff any session (even sessions with local accounts), either from the administration console or the Web interface.

    A fully-functional trial is available here.


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    martes, 06 de marzo de 2012 9:03
  • UserLock allows you to LOCK or LOGOFF but the question is to UNLOCK which this product does not allow you to do.  Besides Unlock Administrator I have not found another product that allows you to unlock.
    miércoles, 07 de marzo de 2012 16:29
  • Thanks Oliver, this solution works great!

    One question, do you know where in the source file and if it's possible to change the verbiage in the "Other Credentials" button?

    Milton

    viernes, 16 de marzo de 2012 15:48
  • The Credential Provider and the text you mentioned are two completely seperate identities. The "Other Credentials" button is hidden somewhere else, in what has been "GINA" and is now called winlogon as far as i know. No "documented" way to change that i'm afraid.
    viernes, 16 de marzo de 2012 21:03
  • How about an official hotfix to fix this issue in the logon screen itself instead of a credential provider?
    miércoles, 11 de abril de 2012 10:27
  • Good luck with that.  And for those who were hoping W8 would be better, doesn't look better to me.
    miércoles, 11 de abril de 2012 20:20
  • Yeah, Microsoft took that out by design, the reason being along the lines of "if a user locks his session, he expects it to be still there when he returns to the PC". The good news is that AdministrativeUnlock works under Windows 8 (Customer Preview), albeit there are some minor problems that need some looking into. Though i deem that rather useless until RTM.
    jueves, 12 de abril de 2012 6:19
  • The link above is giving me a 404 error.   Is it still active?  

    miércoles, 18 de abril de 2012 12:26
  • I'm still getting a 404 on this link, but very interested in the file. Can someone send the file or re-upload?

    Many Thanks!

    R

    viernes, 20 de abril de 2012 20:39
  • Are you still trying the filefactory.com link?  That won't work.  The live.com link I posted should work correctly. 
    viernes, 20 de abril de 2012 22:50
  • Hi, i was also facing the same problem. As a quick solution i tried following..

    Please note: This is not a permanent solution but still it helped me to resolve my issue..

    1. Open "mstsc" from another computer and put your machine's name there
    2. Then it will show you that one user is corrently logged and also it will give you an option to use other credentials to login to this machine. Put other (admin) users credentials there.
    3. This will force logoff for the current user and take you inside the machine.
    4. Here you go!!!! you  can do your stuff via RDC or you can go physically there and access that machine using other users credentials.

    Hope this may help for my friends..

    Raj-M


    • Editado Raj510 lunes, 14 de mayo de 2012 23:13
    lunes, 14 de mayo de 2012 23:12
  • Thought I'd chime in as we are experiencing a similar problem at the college I work at: i.e. the need to disable fast-switching for performance but still be able to unlock users from the machines they leave themselves logged and locked onto.

    Our IT support use a tool called ABTutor (www.abtutor.com) which enables them to remote view and control all the workstations in the college. We've discovered that this tool is also able to log off a user remotely - just bring up the machine that's been reported and log them off, easy. It's licenced per installation and for us that's just two machines controlling 800 workstations.

    The RDP option works fine, but obviously takes ages as you log on then back off again.

    Andy

    martes, 15 de mayo de 2012 15:40
  • I work for a college and we are looking to roll out this very neat fix you have developed. We can get it working fine on windows 7 Pro 32 bit, however on 64bit after installing it as per your instrctions the PC boots up and does not display a login box. Any ideas what we may have done wrong in installing it? And we have checked manually that the reg keys and the dll file is present. Any help would very much be appreciated as we would like to use your fix on all our PCs.
    jueves, 17 de mayo de 2012 15:53
  • The machine I am typing this on is W7 64bit.  adminunlock works here just fine.

    The install for this tool is pretty darn simple.  There's not a lot that can go wrong.  Especially since you say the registry is correct and the file is there.

    About the only thing I can think of is that somehow you've ended up with the x86 dll file.  Have you checked the size of the file?  And the file didn't (somehow) end up in the syswow64 directory rather than the system32 directory, did it?

    viernes, 18 de mayo de 2012 4:33
  • Thanks for your reply. Checked the file sizes to ensure that we had the correct one copied and into the c:\windows\system32 folder. I downloaded the whole mechanism again to ensure that the 64bit dll file hadn't become corrupt on download. As you say is very simple install and so I am wondering if it is not the install that is the problem but some rogue setting on our PC image that is clashing with this mechanism. Weirdly we also had this issue if we install Movie Maker as on next reboot the login box disappears. No idea what the possible connection between these two are! So.....we have now created a standard win 7 64 install without any GPO settings or software and this mechanism now works. So definately a clash in our image. Now begins the long search for the proverbial needle.....thanks for your help.

    viernes, 18 de mayo de 2012 11:29
  • OK, what am I missing here?

    Windows 7 Pro.  A user has machine locked.  Do not want to just shutdown machine, so install the s/w above.

    Follow all instructs.  Install s/w as admin, lock PC as admin, hit ctrl-alt-del and get displayed the locked user acct., and the prompt in the form of a key in a field of yellow, to unlock the PC (or something along those lines).

    When I do the unlock user acct thingy, it comes back to the ctrl-alt-del, and it has definitely unlocked the acct, my administrator acct.  The user acct. that I wanted to kick off in the first place is still sitting there locked. 

    I thought, maybe if I just log off, then I will get the unlock user acct key icon option, and that will kick off the user.  Nope, in that case I just get the genric screen showing that the user has the PC locked, and I can log in as that user, or I can log in as another user.  No little option to kick off the other user.

    Enable fast user switching is not enabled or disabled if that makes any difference.  It is not configured.  Does that have anything to do with this?


    Rick

    viernes, 25 de mayo de 2012 19:02
  • Have you tried Unlock Administrator?  Very easy to setup and has a nice little configuration program.  With the configuration program you can set exactly who (not necessarily and administrator) can unlock the system.  They can either be set to unlock the other session or immediately log off that session.  It is a lot easier that tweaking a little hack.
    miércoles, 30 de mayo de 2012 1:04
  • I'm not that great at programming, but is there a way to add a Log Off button to the Admin Unlock DLL file?

    My current workaround to allowing users to logoff another user (this is so they do not have to call help desk, get frustrated from the wait time and power off the machine) is to hack the Utilman.exe and essentially turn the Ease of Access button to a logoff button. It's not pretty but it works.

    martes, 19 de junio de 2012 19:32
  • I came here after the very same problem, but figured out an even easy way for accomplish that: SCCM Client Center (http://smsclictr.sourceforge.net/).

    We do use this free tool for SMS/SCCM endpoint management, and it has, under "Agent Actions" -> "Install/Repair" tab, buttons for Logoff, Restart and Shutdown.

    Works like a charm - providing you know the name of the computer you are about to log the user off.

    HTH.

    miércoles, 04 de julio de 2012 14:06
  • jdjhd

    that is not good habit,, I suggest that one of your colleague of staff have an delegated authority to reset the user account only but not an administrator level only account operatos is enough..Now, in regards to the situation dont force shutdown the system but rather change the group policy seetings not the default one.

    Hope it will help you and dont forget to vote as helpfull

    thnkas

    jueves, 13 de septiembre de 2012 9:00
  • Unlock Administrator works only for 64bit on Vista and above. The 32bit version is for 2000, XP, and 2003.
    jueves, 20 de septiembre de 2012 12:48
  • Your question is how to unlock other users,,simply check the group policy management console or type gpedit.msc look the users configuration then

    just make filter options so as easy for you to find..

    Just give me feedback if its helpfull to you!!

    Thnkas

    jueves, 20 de septiembre de 2012 13:29
  • It looks like they now have a 32-bit version for Vista and up on their site at http://www.e-motional.com/ULAdmin.htm

    martes, 25 de septiembre de 2012 13:47
  • Hi Oliver

    Your tool is great, thank you a lot for giving it to the public audience!

    I found one bug: the application does not accept the login in the form DOMAIN\logon - it reports "the specified username or password is invalid". Using logon@long.domain.name works fine. Is it possible to correct the application to accept DOMAIN\logon names?

    David Leska

    miércoles, 31 de octubre de 2012 12:10
  • Hey Oliver,

    Thank you very much for this fantastic solution you have provided for this problem. As previously suggested, the option to have a "System Unlockers" group that was queried instead of the default "Administrators" group is one that would be much more suitable to our environment.

    I got ambitious and grabbed your source data to have a look to see if it is something I can manipulate to do what we need; however, I am not very good with C++ and am a bit overwhealmed with the code.

    Can you please advise if there are some simple changes we can make to this work for us?

    Hope you can help, thanks in advance,

    GMat

    • Propuesto como respuesta Rense Prakken lunes, 18 de marzo de 2013 15:18
    • Votado como útil Rense Prakken lunes, 18 de marzo de 2013 15:18
    • Propuesto como respuesta Rense Prakken lunes, 18 de marzo de 2013 15:18
    • Votado como útil Rense Prakken lunes, 18 de marzo de 2013 15:18
    martes, 20 de noviembre de 2012 1:17
  • Hi Oliver,

    What GMat said is also my question.
    Could you create something that everyone can force logoff?
    I'm working on a primary school en would like if the students can logoff others that has forgotten to logoff.

    I don't like to create a user that have local admin rights...

    Hope you can help and thanks in advance,

    Rense Prakken

    lunes, 18 de marzo de 2013 15:18
  • Hi Oliver,

    What GMat said is also my question.
    Could you create something that everyone can force logoff?
    I'm working on a primary school en would like if the students can logoff others that has forgotten to logoff.

    I don't like to create a user that have local admin rights...

    Hope you can help and thanks in advance,

    Rense Prakken

    viernes, 05 de abril de 2013 11:53
  • The area of interest is in the file CSampleProvider.cpp at line 394. In my verison of the code, this line reads as

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Admins();

    You can try to change that to

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::PowerUsers();

    to allow all members of the PowerUsers group to unlock. Alternatively, if you want anyone to be able to unlock, change the line to

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Users();

    This allows all members of the "Users" group (which by default should be any User) to unlock a machine. I don't have the required testing environment anymore, so i cannot make these changes myself, sorry.

    jueves, 02 de mayo de 2013 9:15
  • For those confused, the file with that line of code is CSampleCredential.cpp, not CSampleProvider.cpp.
    jueves, 27 de junio de 2013 18:28
  • We use PSEXEC from pstools to log users off of PCs.  The following command must be run from a domain administrator account.

    "psexec.exe \\%computername% CMD"     --This opens a command line for the remote system that is locked.
    "query session"     --This displays active sessions. (ie. user logged in)
    "logoff #"     --This will log out the specified session. (# = number of users session)

    Wait about 10 seconds and have the user try to log in again.  Works 99% of the time in our enviroment.

    miércoles, 07 de agosto de 2013 11:30
  • I get the following error when compiling again:

    CSampleCredential.cpp(16): fatal error C1083: Cannot open include file: 'atlstr.h': No such file or directory

    Please Could you help me?

    I 've the blsAdmin string chanced.

    jueves, 22 de agosto de 2013 14:17

  • Wondering if either GMat and Rense or anyone was able to get it working with other than admin users?

    We're an elementary school with 500 users and 150 computers; split 50/50 between XP and Win7 Pro. We're also brand new to AD, and this locked-screen business on the 7 machines is giving us major headaches. We just need a simple way for a user to be able to log off a locked user who walked away from the machine. This isn't a high-security environment and unsaved work is not an issue. These are kids, on web sites primarily. 

    Pulling power isn't a viable solution. We also don't have many admin users, with good reason, so there just aren't dedicated IT-capable employees at the ready to do this all day long. 

    We don't have the budget for Unlock Administrator, regrettably. I get that adminunlock would be perfect, but has anybody modified for it all users, as below? Much as I like to do very minor hacking, I don't Notepad will work here. ;)

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Users();

    Hard to believe there isn't a policy available for this by now. Many thanks for any suggestions! 

    jmea

    jueves, 12 de diciembre de 2013 22:43
  • I would schedule two tasks in group policy.

    First one would be set to only run when the computer has been idle for 15 minutes and would call a batch file that contains the following command "rundll32.exe user32.dll, LockWorkStation" 

    Then the second one would only run when idle for 2 hours and would call shutdown.exe /L /F.

    Simple. Good Luck.

    viernes, 13 de diciembre de 2013 1:02
  • Awesome, works for me.
    jueves, 17 de abril de 2014 11:45
  • On sourceforge is someone who combined your solution with another project from paralint.com to a working solution! This gives a domain user the ability to logoff another user by entering his own login name and password. The project name on sourceforge is: userunlock


    martes, 06 de mayo de 2014 7:42
  • Hi there i am trying to get this downloaded and the links are not working!  Can you please tell me where i can get this from?

    Many thanks

    viernes, 11 de julio de 2014 11:09
  • I was able to get this working by modifying the code to point to authenticated users rather than Administrators. This does mean that anyone can log anyone off these machines where this DLL is registered. I remember it being a pretty nifty solution at the time and it is something that we are still using in our customer service centres today. This was two years ago now, so please don't ask how I modified it, but I have the source files here if still required.

    https://dl.dropboxusercontent.com/s/k6t649i4ybwb6kc/Administrative%20Unlock.zip?dl=0

    Cheers

    GMat

    miércoles, 10 de septiembre de 2014 11:40