locked
Unlocking User Accounts with an Administrator Account RRS feed

  • Question

  • Hi there, again... I love this forum

    I built another Server 2008 R2 SP-1 Network with 35 Windows 7 64 desktops.

    Customer asked about Administrator Accounts unlocking desktops where non-admin users have locked desktops.

    Is that "Interactive logon: Require Domain Controller authentication to unlock workstation"?

    Right now the default is "This computer is locked.  Only the logged on user can unlock the computer"

    Thanks

    B.

    Tuesday, November 4, 2014 10:06 PM

Answers

  • > Customer asked about Administrator Accounts unlocking desktops where
    > non-admin users have locked desktops.
     
    This is not possible anymore since Vista and above...
     
    > Right now the default is "This computer is locked.  Only the logged on
    > user can unlock the computer"
     
    The admin can only "switch user", then launch task manager, "users" tab
    and from there logoff the user.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, December 9, 2014 7:25 AM
    • Marked as answer by Frank Shen5 Wednesday, December 10, 2014 1:33 AM
    Wednesday, November 5, 2014 8:57 AM
  • > Thanks, no way they can log "over" a user with "Do you want to log off
    > this user, all work will be lost"
     
    No. You can as well switch power off :)
     
    > Then what does "Interactive logon: Require Domain Controller
    > authentication to unlock workstation" do?
     
    This prevents brute force unlock attacks (after removing the LAN cable)
    and it prevents storing the password hash somewhere on the system.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, December 9, 2014 7:24 AM
    • Marked as answer by Frank Shen5 Wednesday, December 10, 2014 1:33 AM
    Wednesday, November 5, 2014 2:43 PM

All replies

  • > Customer asked about Administrator Accounts unlocking desktops where
    > non-admin users have locked desktops.
     
    This is not possible anymore since Vista and above...
     
    > Right now the default is "This computer is locked.  Only the logged on
    > user can unlock the computer"
     
    The admin can only "switch user", then launch task manager, "users" tab
    and from there logoff the user.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, December 9, 2014 7:25 AM
    • Marked as answer by Frank Shen5 Wednesday, December 10, 2014 1:33 AM
    Wednesday, November 5, 2014 8:57 AM
  • "The admin can only "switch user", then launch task manager, "users" tab and from there logoff the user."

    Thanks, no way they can log "over" a user with "Do you want to log off this user, all work will be lost"

    Then what does "Interactive logon: Require Domain Controller authentication to unlock workstation" do?

    Wednesday, November 5, 2014 11:35 AM
  • > Thanks, no way they can log "over" a user with "Do you want to log off
    > this user, all work will be lost"
     
    No. You can as well switch power off :)
     
    > Then what does "Interactive logon: Require Domain Controller
    > authentication to unlock workstation" do?
     
    This prevents brute force unlock attacks (after removing the LAN cable)
    and it prevents storing the password hash somewhere on the system.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, December 9, 2014 7:24 AM
    • Marked as answer by Frank Shen5 Wednesday, December 10, 2014 1:33 AM
    Wednesday, November 5, 2014 2:43 PM
  • At the Server 2008 if another administrator locked the server, I know "switch user" can login and from Task Manager disconnect another administrative user, and same at Windows 7 desktops

    I thought there was a setting to allow you to login into and get the message "As you sure you want to log off this user, unsaved data may be lost"

    B.


    Thursday, November 6, 2014 3:18 PM