How to Unlock Windows 7 Enterprise when another user has locked the screen? RRS feed

  • Question

  • I had a simple question about Windows 7 Enterprise. I am a computer technician in a corporation serviceing 7000+ PC's. In the past (on Windows XP Professional) when a user would lock the computer we as administrators could unlock the computer and force the log off of the user. Can this feature or one similar be applied In Windows 7 Enterprise if Fast User switching is turned off?
    • Moved by Carey FrischMVP Tuesday, April 5, 2011 3:58 PM Moved to more appropriate forum category (From:Windows Vista Desktop UI)
    Friday, May 14, 2010 3:07 PM

All replies

  • Hi,

    Yes, there is significant changes to user switch comparing Windows XP & Vista or 7.

    Windows 7 & Vista offers mutli login for users within domain and to log off any user: you have to login to a computer using administrator account - open task manger - users tab - from the panel you will get access to manage log in users.


    Bart Kurowski IT Support Analyst, MCP, MCTS, MCITP, MCAS
    Friday, May 21, 2010 9:33 PM
  • Yes, but how do you log in to the already locked PC when the boss has deemed the snazzy new "fast user switching" and RDP verboten? Is there no way to unlock a locked desktop short of cutting power??

    Tuesday, December 14, 2010 8:47 PM
  • I too have this same question...

    In our environment we have "fast user switching" disabled and our workstations set to lock after 15 minutes (for security)...
    On Win7 workstations that are shared by multiple employees, the previous user forgets to log off when they walk away, and the next user is unable to login. The only options we currently have is to hold the power button in to shut down the workstation...

    We need to be able to unlock (force logoff) a workstation, like we did with Windows XP...

    Anybody got any ideas on how to do this with "fast user switching" disabled?


    Thursday, March 24, 2011 8:44 PM
  • I am having the same issue and as yet am unable to find a solution other than resetting the machine as you say... which is obviously not a good thing. There must be a way to do this as this must be occurring all over the place. If I find something I'll post it up..


    Wednesday, March 30, 2011 8:44 AM
  • I developed a possible solution to this problem which at the moment is undergoing MS Review. I'll keep you updated on the progress. I already tested it in our infrastructure and it works.

    Wednesday, May 18, 2011 10:32 AM
  • Hi, i'm in need of this too.

    Windows 7 Pro, domain joined with fast user switching disabled. If you need anymore testers for your solution i'd be happy to volunteer.

    Friday, May 20, 2011 6:47 AM
  • with a client desktop locked-what do you get with a Alt+W?


    Friday, May 20, 2011 11:07 PM
  • with a client desktop locked-what do you get with a Alt+W?

    On Windows 7 Enterprise x64, [Alt]+[W] does nothing at:
    - the "press Ctrl+Alt+Del to unlock" screen,
    - the "enter current user password" screen, or
    - on the "other credentials" screen (only viewable on laptops with smart card readers)

    What did you think [Alt]+[W] would do?


    Tuesday, May 24, 2011 5:37 PM
  • Any word on the solution yet?
    Tuesday, May 24, 2011 8:47 PM
  • Yes, we're making progress with the review process. Currently, the solution is being reviewed by the Design and Product group teams. My hope is that they are going to "officialize" the solution and make a hotfix/patch/feature pack using the same technologies themselves. This way, every admin around the world could use the solution and be sure to use Microsoft sanctioned code.

    If this process "fails" and all i get is "it's ok to do it this way, but we won't officially embrace it" or something along these lines, i'll upload it somewhere myself (including source of course). But until then, i'll keep it to myself.

    Wednesday, May 25, 2011 6:45 AM
  • I have an OK from Microsoft that the proposed solution is within "Windows" design boundaries. I uploaded the compiled x86 and x64 binaries to http://www.filefactory.com/file/ccb8b53/n/AdministrativeUnlock.zip. Batch Files for easy (de)installation is included. Just use "Run as Administrator" with the Batch file for your platform, the lock the machine. When trying to unlock, you should have a "Other Credentials" Button. Click it, select "Administrative Unlock", then enter username and password of a user which is in the local Administrator Group.


    Please provide feedback here, there's no other place i could use.


    • Proposed as answer by Justin007 Monday, June 20, 2011 2:07 PM
    Friday, June 10, 2011 7:31 AM
  • Please use your skydrive public folder- what the #@#@^$% is that link?
    Friday, June 10, 2011 8:03 PM
  • Ok, made a skydrive profile and shared a folder with the public. you should be able to get it there - http://cid-9363831414c526a5.office.live.com/self.aspx/Public/AdministrativeUnlock.zip
    • Proposed as answer by Master ALF Thursday, June 16, 2011 10:52 AM
    Friday, June 10, 2011 9:35 PM
  • Works great thanks.
    Monday, June 13, 2011 7:52 PM
  • Oliver, do you have a similar solution for Windows 7 Professional?  I tried the solution you created for Enterprise on a W7 Pro box with no success.

    Tuesday, June 14, 2011 5:58 PM
  • What kind of problem are you experiencing?
    For Installation, make sure you choose the batch-file for the right architecture (x86 / x64) and also make sure to start the batch file by Right-Clicking it and then selecting "Run as Administrator...". Even if you are logged in as local admin, you have to start it that way or it won't work. To my knowledge, there should be no difference between Win7 Enterprise and Win7 Professional regarding this solution (using a custom Credential Provider), so i think you're doing something wrong along the way.

    Tuesday, June 14, 2011 6:11 PM
  • Thanks Oliver F!!  I have been looking for a solution on this myself.  I'll give it a shot tomorrow.  Although, I got a couple questions though.  First is when you refer to "start the batch file" are you referring to "Install_x86.cmd" (for a 32bit Windows 7 Prof machine)?  The other question is when you say Microsoft has given you an OK, does this mean that Microsoft will "make a hotfix/patch/feature pack using the same technologies themselves"?  Again, Thanks for the help!!
    Tuesday, June 14, 2011 11:43 PM
  • That is correct, i'm talking about the two Install-Batch Files, which would be "Install_x86" for a 32-Bit Windows 7 Machine. The decision whether Microsoft will do something themselves or not is still up in the sky, but they gave me the "OK" to use it because in their review there was nothing to complain about (regarding the program code and the use of API calls, which could've gone against the basic design guidelines but did not).
    Wednesday, June 15, 2011 6:10 AM
  • Just put it on my Windows 7 Professional machine and it worked great!!  The only thing I found was I needed to use the local administrator account for the computer for it to work.  The domain administrator account didn't work.  Great solution though!!  Thanks again Oliver F!!
    Wednesday, June 15, 2011 12:33 PM
  • You need to use an account that is a member of the machine's local "Administrators" group. Whether that is a domain user or local user is irrelevant.
    Wednesday, June 15, 2011 1:18 PM
  • Thanks!!!!

    We have been looking for a solution since the Win7-release in june 2009.

    This DLL-fix works fine, and easy to install/deploy to our computers... Great work!


    Thursday, June 16, 2011 10:22 AM
  • Ok, made a skydrive profile and shared a folder with the public. you should be able to get it there - http://cid-9363831414c526a5.office.live.com/self.aspx/Public/AdministrativeUnlock.zip

    Works great. Thanks for the sulution


    / Magnus

    Thursday, June 16, 2011 10:58 AM
  • At this point is the unofficial download the only option that's going to be available, or will it eventually be rolled into a hotfix from ms?
    Thursday, June 16, 2011 4:06 PM
  • @Gai-jin --- I'm waiting and wondering the same thing. My organization, with 2000+ Windows 7 Pros, is having this same issue. Right now the solution is hard shut-downs all over the campus... not exactly an elegant solution.

    I would go with Oliver F's solution, but unfortunately corporate policies don't allow. I really need an official Microsoft solution.

    Anyone heard anything?


    System Admin and Resident Sandcastle Builder :) www.Sandcastling.com
    Wednesday, July 6, 2011 6:43 PM
  • As a workaround we’re using remote desktop to logoff computers with locked users.

    Our corporate security policy doesn't allow Oliver’s program and I’m pretty sure PCI doesn’t either. We would need something official from MS.

    Wednesday, July 6, 2011 11:00 PM
  • I don't know why, but using RDP never entered my mind. Brilliant workaround, Ross. 

    Which leads me to think (sometimes dangerous that can be) that one of Mark Russinovich's infamous PSTools could be of help. Particularly this command:

    psshutdown \\RemoteSystem -o    

    Despite how the command looks -- shutting down the system -- the '-o' switch instructs the system to only "Logoff the console user"... and stop there. I'll have to give it a try, but it should work.

    Still hoping MS will come through with a tweak. It is so hard to believe that such a relatively simple, and helpful thing could have been intentionally removed... with no way to change via GPO.


    System Admin and Resident Sandcastle Builder :) www.Sandcastling.com
    Thursday, July 7, 2011 11:53 AM
  • I don't believe something official will be available within a reasonable timeframe. Meanwhile, would your corporate policies allow for you to compile a solution yourself? It's really not that complicated a program, as it's essentially a Credential Provider that logs a user off upon entering your credentialy instead of unlocking the screen/logging you on.
    Monday, July 11, 2011 6:08 AM
  • Hello Oliver,

    thank you for providing your solution. You mentioned something about recompiling. Can you provide the sourcecode?


    Thanks in advance, Th0u

    Monday, July 11, 2011 12:23 PM
  • I added the source files to my public skydrive folder, you can grab it here: https://skydrive.live.com/?cid=9363831414c526a5&sc=documents&uc=1&id=9363831414C526A5%21105. You will need Visual Studio 2010 and the Windows SDK (v7.0A) to be able to compile it. I hope it'll work this way.. if not, i may have to include all the external dependencies in the project, which i'd rather not do.
    Monday, July 11, 2011 12:31 PM
  • Thank you.

    Great job.

    Monday, July 11, 2011 2:55 PM
  • I'll add my thanks for your providing the tool, and being generous enough to provide it the source.  As with some (too few) other shops, there's no way I could use a binary from any source other than an identifiable corporation, but with the source that isn't as large an issue.

    One question: What is the copyright status of the files? Based on this thread you're the author, and they were not a work-for-hire, but each of the files in the source ZIP file carries a Microsoft copyright notice (perhaps inserted during Microsoft's review?). My facility has a strong policy regarding IP and I need to be able to assure management that we have the legal right to use the programs. The CSample* files are distributed by Microsoft and aren't an issue but the others - the heart of the unlock function - are the problem.

    Thanks again for the tools.

    Joe Morris
    Friday, August 5, 2011 2:56 PM
  • Where should this "Other Credential" button appear? I'm just testing this and I'm not seeing it anywhere.

    EDIT: I didn't run the .cmd file as Administrator so I was getting an access denied when it tried to copy the .dll file.

    Friday, August 5, 2011 7:40 PM
  • The solution is based on a sample included in the Windows SDK. It's basically a partly rewritten Credential Provider Sample. This "should", but don't quote me on that, allow you to use it without restrictions. If you're unsure about the license, get in contact with Microsoft and ask about the Status of code included in the Windows SDKs. What files are you talking about that could be the problem, because i didn't add anything extra, the include files were added by VS2010 automatically and should be part of the Windows Operating System.
    Sunday, August 7, 2011 9:04 AM
  • You've answered my question; as long as the copyright notices are all from the SDK samples (which are clearly distributable) plus your changes there shouldn't be any problems from the IP people.  Your comment upthread about submitting it to Microsoft was the source of my concern.  (And thanks for the quick response!)

    Here's another question/request for you: how practical would it be to integrate normal (PKI-based) smartcard authentication with your code? My problem is that while I'm no stranger to system-level programming (I learned it on an IBM 7090 and a DEC PDP-1) I'm only marginally proficient with C++ and haven't worked with credential providers except to try (as a work in progress!) to figure out how the force-off code works. My organization's problem is that while we currently use normal userid/password authentication we will be moving to smartcard-based logon in the not-too-distant future and part of my job is to avoid introducing problems for smartcard users.

    A suggestion for readers who are implementing this on a kiosk system (or anything similar, such as a conference room machine): consider deleting the test for membership in the administrators group (i.e., in the IF statement testing bIsAdmin, always execute the true branch).  This will allow any user to force off a session that a previous kiosk user has impolitely failed to close.  It would be inappropriate to allow this on typical desktop systems but for systems used by the general user population it avoids calling out an administrator (or a forced power-off)...and I have little sympathy for someone who loses edits because they left a kiosk system locked.

    Joe Morris
    Monday, August 8, 2011 2:43 PM
  • Hi Joe,

    I am sorry to say that i didn't dabble in the use of smartcards as of yet. I have no idea what API calls would be necessary, or rather, what happens if a user inserts a smartcard into the computer. You might want to check out the SDK documentation on this, or maybe even find a Credential Provider that is suitable for smartcards (there is a hardware sample credential provider in the Windows SDK) and try to insert my code at the appropriate place. Though, you shouldn't forget that if you were to do that, you'd have TWO additional providers installed, because obviously, you can't cram both methods combined in one Credential Provider (well, as far as i know you can't).

    Having had a short look at the Hardware Sample code in the sdk, it even seems the function where i did the changes would be unaffected by the methodology of credential input (makes sense this way, too), so it might be really easy to change that one around the same way. The only difference between HID-Input and Hardware-Input of credentials lies in the Input-Methodology, the authentication process would/should be essentially be the same. Hope that helps, i can't even try to develop that because i lack the infrastructure to test it.

    Your suggestion about unlocking machines w/o administrative privileges is suitable, but i'd propose adding a local user group on the systems (named appropriately, like "System Unlockers") and put the domain administrators into this group by default, and adding "everyone" on those kiosk systems. That way, you still have control over it and could even add certain non-Administrators on some PCs. Stupid me for not having thought about that before, would make more sense to check for either Administrator OR <insert group name here> membership. Oh well...

    Tuesday, August 9, 2011 6:21 AM
  • I also thank you for this.

    We use lenovo thinkpads and many of them have fingerprint readers which are also shimmed into the logon process.

    It appears that when I add this after the fingerprint reading software is installed, that it simply enable fast switching. When I click on other credientials, I get a logon screen and can log in directly. There is no logoff flash, I am signed right in.

    Also, I am able to use a non-admin user to sign on, rather than mandating an admin.

    Any thoughts?

    Wednesday, August 24, 2011 9:57 PM
  • Never mind. It was acting up because I didn't run the install script as Admin.

    Now that I've done that, it seem to be working fine.

    Thanks again. You have made me a hero to my boss.

    Wednesday, August 24, 2011 10:32 PM
  • This was a good idea SandcastlingRon but in my tests it only works if the console session is active (if that's the correct term). By that I mean, if the PC is locked this doesn't log off the user, though psshutdown states "Console logoff initiated on [pc name]". When the user was active in the console session the command kicked them right out.

    FYI - I've tested the custom DLL provided by Oliver F and it works very well. We're now trying to determine if it's truly legit and supported by MS.

    Friday, December 23, 2011 5:59 PM
  • Works great Oliver, thank you! We're going to have to get it signed off by management for use in our environment and I'm hoping this won't be too much of a problem.

    Any word on MS including the fix in a future Feature Pack or something?

    Friday, December 23, 2011 6:11 PM
  • And failing a (positive) response from MS, what do you say to moving the project to a better home?  As near as I can tell, the only way to find out about this very useful tool right now is if you just happen to bump into it in this one specific thread.

    While I don't envision a great deal of development effort (if any) will ever be necessary for this project, perhaps SourceForge.net would make sense?  It has CVS/SVN to keep track of the source code, a download area for the executable files, and the ability to make a web page that describes the thing.

    I thought about just taking what you had posted and creating a project there myself, but even if I put your name all over the place and links to this thread, it would still have felt like stealing your idea/work.

    Friday, December 23, 2011 9:02 PM
  • As an update, we're still in progress doing things with microsoft regarding this project. as much as i doubt that it will be included in a feature pack or something similar, i'll wait for this process to finish before doing anything else. here's hoping windows 8 reintroduces this feature out of the box ;)
    Friday, December 23, 2011 10:25 PM
  • Thank you for your creative solution Oliver. I was wondering if you could help me. I tried compiling your source code with Visual Studio 2010 SP1, but I'm getting the following errors:

    Error    1    error LNK2019: unresolved external symbol _LsaDeregisterLogonProcess@4 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    2    error LNK2019: unresolved external symbol _LsaLookupAuthenticationPackage@12 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    3    error LNK2019: unresolved external symbol _LsaConnectUntrusted@4 referenced in function "long __cdecl RetrieveNegotiateAuthPackage(unsigned long *)" (?RetrieveNegotiateAuthPackage@@YAJPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    4    error LNK2019: unresolved external symbol __imp__CredPackAuthenticationBufferW@20 referenced in function "long __cdecl KerbInteractiveUnlockLogonRepackNative(unsigned char *,unsigned long,unsigned char * *,unsigned long *)" (?KerbInteractiveUnlockLogonRepackNative@@YAJPAEKPAPAEPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    5    error LNK2019: unresolved external symbol __imp__CredUnPackAuthenticationBufferW@36 referenced in function "long __cdecl KerbInteractiveUnlockLogonRepackNative(unsigned char *,unsigned long,unsigned char * *,unsigned long *)" (?KerbInteractiveUnlockLogonRepackNative@@YAJPAEKPAPAEPAK@Z)    C:\Users\user\Desktop\AdministrativeUnlock_Source\AdministrativeUnlock\helpers.obj    AdministrativeUnlock
    Error    6    error LNK1120: 5 unresolved externals    C:\Users\user\Desktop\AdministrativeUnlock_Source\Debug\AdministrativeUnlock.dll    AdministrativeUnlock

    Do you know what the problem might be?

    Tuesday, January 3, 2012 6:11 PM
  • do you have the windows sdk installed? seems like he can't find certain external dependencies. try to check the dependencies tree in the project viewer and/or reinstall the windows sdk (7.1 i believe).
    Wednesday, January 4, 2012 7:14 AM
  • I'll bet you are doing a debug build.  In the configuration for debug, secur32.lib was omitted from the list of libraries.  Either change to release, or add the secur32.lib file.
    Thursday, January 5, 2012 4:13 AM
  • LGS, you were right about me doing a debug build. I thought that might be the problem early on since it was a DLL and debugging didn't seem right, but I dismissed it and moved on to other possibilities. I've never worked with compiling DLLs before. Thank you both for your assistance.

    Hopefully Microsoft will bring back native support for this solution in the near future. Like others, I maintain computers at a university and people walking away and not logging off is a constant problem.

    Thursday, January 5, 2012 3:55 PM
  • Do you have any kind of deadline in mind for how long you want to wait for "this process to finish?"

    For those who are keeping track:

    • This thread started: May 14, 2010
    • Oliver first mentions his solution: May 18, 2011
    • Oliver first posts his solution: June 10, 2011

    Depending on how you want to measure it, we've been waiting for MS for 8 or 9 months to "do something."  Seems like a long time to me.

    Thursday, February 2, 2012 1:14 AM
  • I have no idea how long it will take, but i thought i'd chime in with my thoughts regarding your offer to transfer the project to Sourceforge. I thought about doing that myself back when i first released it, buti cannot commit myself enough to actually doing it, so i'd be more than happy if you'd do it. As long as my name appears somewhere even once, that's more than fine by me. I didn't create this so that noone can use it, sharing is caring.

    So if you come around creating a Sourceforge project for this, please go ahead and do it. Just maybe leave a link to the project site here. Seeing as Windows 8 will be BETA soon and RTM later this year, i'm starting to wonder if we'll need to develop something similar AGAIN or if the functionality found it's way back into the core system. If we need to do it ourselves again, at least this time we'll be ready for a near 0-day release :)

    Thursday, February 2, 2012 7:33 AM
  • <sigh>

    SourceForge projects must be based on Open Source licences.  Looking at the license doc for the SDK (where most of this code came from), that doesn't appear to be possible.  In fact, MS's terms seem to intentionally and explicitly exclude OS licenses, even for code derived from their sample code, even if your code "adds significant primary functionality to it."

    So, unless someone reads these terms differently than I do, or unless someone is prepared to reproduce the functionality of these ~2,000 lines of code "inspired by, but not copying from" this sample, I don't see a way forward at SF.

    Maybe MS's CodePlex would be a better home?  Does anyone know what the rules are over there?

    Saturday, February 4, 2012 9:02 AM
  • Works great, very grateful.

    Rafael J López

    IT Support

    Tuesday, February 14, 2012 7:52 PM
  • Wow this thread had been running for a long time!

    There is a third party product that allows you to set which users (not necessarily admins) can unlock the system.  Have a look at Unlock Administrator

    • Proposed as answer by Amer Rana Saturday, February 25, 2012 6:34 PM
    • Unproposed as answer by Amer Rana Saturday, February 25, 2012 6:34 PM
    Thursday, February 23, 2012 4:11 PM
  • Hi Dears,

    I'm also facing the same problem. I have forgot my password and now I have no access to reach or open the windows. I'm using windows XP 7, if there is any solution you have about this problem so please tell me because I've immediately need to open the windows for doing some important work about study. If there is any solution of anyone have about this problem so please mail me on this site amer.pu11@yahoo.com 


    Saturday, February 25, 2012 6:46 PM
  • You should give a look to UserLock.

    Among other features, this 3rd-party solution will allow you to remotely lock or logoff any session (even sessions with local accounts), either from the administration console or the Web interface.

    A fully-functional trial is available here.

    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com

    Tuesday, March 6, 2012 9:03 AM
  • UserLock allows you to LOCK or LOGOFF but the question is to UNLOCK which this product does not allow you to do.  Besides Unlock Administrator I have not found another product that allows you to unlock.
    Wednesday, March 7, 2012 4:29 PM
  • Thanks Oliver, this solution works great!

    One question, do you know where in the source file and if it's possible to change the verbiage in the "Other Credentials" button?


    Friday, March 16, 2012 3:48 PM
  • The Credential Provider and the text you mentioned are two completely seperate identities. The "Other Credentials" button is hidden somewhere else, in what has been "GINA" and is now called winlogon as far as i know. No "documented" way to change that i'm afraid.
    Friday, March 16, 2012 9:03 PM
  • How about an official hotfix to fix this issue in the logon screen itself instead of a credential provider?
    Wednesday, April 11, 2012 10:27 AM
  • Good luck with that.  And for those who were hoping W8 would be better, doesn't look better to me.
    Wednesday, April 11, 2012 8:20 PM
  • Yeah, Microsoft took that out by design, the reason being along the lines of "if a user locks his session, he expects it to be still there when he returns to the PC". The good news is that AdministrativeUnlock works under Windows 8 (Customer Preview), albeit there are some minor problems that need some looking into. Though i deem that rather useless until RTM.
    Thursday, April 12, 2012 6:19 AM
  • The link above is giving me a 404 error.   Is it still active?  

    Wednesday, April 18, 2012 12:26 PM
  • I'm still getting a 404 on this link, but very interested in the file. Can someone send the file or re-upload?

    Many Thanks!


    Friday, April 20, 2012 8:39 PM
  • Are you still trying the filefactory.com link?  That won't work.  The live.com link I posted should work correctly. 
    Friday, April 20, 2012 10:50 PM
  • Hi, i was also facing the same problem. As a quick solution i tried following..

    Please note: This is not a permanent solution but still it helped me to resolve my issue..

    1. Open "mstsc" from another computer and put your machine's name there
    2. Then it will show you that one user is corrently logged and also it will give you an option to use other credentials to login to this machine. Put other (admin) users credentials there.
    3. This will force logoff for the current user and take you inside the machine.
    4. Here you go!!!! you  can do your stuff via RDC or you can go physically there and access that machine using other users credentials.

    Hope this may help for my friends..


    • Edited by Raj510 Monday, May 14, 2012 11:13 PM
    Monday, May 14, 2012 11:12 PM
  • Thought I'd chime in as we are experiencing a similar problem at the college I work at: i.e. the need to disable fast-switching for performance but still be able to unlock users from the machines they leave themselves logged and locked onto.

    Our IT support use a tool called ABTutor (www.abtutor.com) which enables them to remote view and control all the workstations in the college. We've discovered that this tool is also able to log off a user remotely - just bring up the machine that's been reported and log them off, easy. It's licenced per installation and for us that's just two machines controlling 800 workstations.

    The RDP option works fine, but obviously takes ages as you log on then back off again.


    Tuesday, May 15, 2012 3:40 PM
  • I work for a college and we are looking to roll out this very neat fix you have developed. We can get it working fine on windows 7 Pro 32 bit, however on 64bit after installing it as per your instrctions the PC boots up and does not display a login box. Any ideas what we may have done wrong in installing it? And we have checked manually that the reg keys and the dll file is present. Any help would very much be appreciated as we would like to use your fix on all our PCs.
    Thursday, May 17, 2012 3:53 PM
  • The machine I am typing this on is W7 64bit.  adminunlock works here just fine.

    The install for this tool is pretty darn simple.  There's not a lot that can go wrong.  Especially since you say the registry is correct and the file is there.

    About the only thing I can think of is that somehow you've ended up with the x86 dll file.  Have you checked the size of the file?  And the file didn't (somehow) end up in the syswow64 directory rather than the system32 directory, did it?

    Friday, May 18, 2012 4:33 AM
  • Thanks for your reply. Checked the file sizes to ensure that we had the correct one copied and into the c:\windows\system32 folder. I downloaded the whole mechanism again to ensure that the 64bit dll file hadn't become corrupt on download. As you say is very simple install and so I am wondering if it is not the install that is the problem but some rogue setting on our PC image that is clashing with this mechanism. Weirdly we also had this issue if we install Movie Maker as on next reboot the login box disappears. No idea what the possible connection between these two are! So.....we have now created a standard win 7 64 install without any GPO settings or software and this mechanism now works. So definately a clash in our image. Now begins the long search for the proverbial needle.....thanks for your help.

    Friday, May 18, 2012 11:29 AM
  • OK, what am I missing here?

    Windows 7 Pro.  A user has machine locked.  Do not want to just shutdown machine, so install the s/w above.

    Follow all instructs.  Install s/w as admin, lock PC as admin, hit ctrl-alt-del and get displayed the locked user acct., and the prompt in the form of a key in a field of yellow, to unlock the PC (or something along those lines).

    When I do the unlock user acct thingy, it comes back to the ctrl-alt-del, and it has definitely unlocked the acct, my administrator acct.  The user acct. that I wanted to kick off in the first place is still sitting there locked. 

    I thought, maybe if I just log off, then I will get the unlock user acct key icon option, and that will kick off the user.  Nope, in that case I just get the genric screen showing that the user has the PC locked, and I can log in as that user, or I can log in as another user.  No little option to kick off the other user.

    Enable fast user switching is not enabled or disabled if that makes any difference.  It is not configured.  Does that have anything to do with this?


    Friday, May 25, 2012 7:02 PM
  • Have you tried Unlock Administrator?  Very easy to setup and has a nice little configuration program.  With the configuration program you can set exactly who (not necessarily and administrator) can unlock the system.  They can either be set to unlock the other session or immediately log off that session.  It is a lot easier that tweaking a little hack.
    Wednesday, May 30, 2012 1:04 AM
  • I'm not that great at programming, but is there a way to add a Log Off button to the Admin Unlock DLL file?

    My current workaround to allowing users to logoff another user (this is so they do not have to call help desk, get frustrated from the wait time and power off the machine) is to hack the Utilman.exe and essentially turn the Ease of Access button to a logoff button. It's not pretty but it works.

    Tuesday, June 19, 2012 7:32 PM
  • I came here after the very same problem, but figured out an even easy way for accomplish that: SCCM Client Center (http://smsclictr.sourceforge.net/).

    We do use this free tool for SMS/SCCM endpoint management, and it has, under "Agent Actions" -> "Install/Repair" tab, buttons for Logoff, Restart and Shutdown.

    Works like a charm - providing you know the name of the computer you are about to log the user off.


    Wednesday, July 4, 2012 2:06 PM
  • jdjhd

    that is not good habit,, I suggest that one of your colleague of staff have an delegated authority to reset the user account only but not an administrator level only account operatos is enough..Now, in regards to the situation dont force shutdown the system but rather change the group policy seetings not the default one.

    Hope it will help you and dont forget to vote as helpfull


    Thursday, September 13, 2012 9:00 AM
  • Unlock Administrator works only for 64bit on Vista and above. The 32bit version is for 2000, XP, and 2003.
    Thursday, September 20, 2012 12:48 PM
  • Your question is how to unlock other users,,simply check the group policy management console or type gpedit.msc look the users configuration then

    just make filter options so as easy for you to find..

    Just give me feedback if its helpfull to you!!


    Thursday, September 20, 2012 1:29 PM
  • It looks like they now have a 32-bit version for Vista and up on their site at http://www.e-motional.com/ULAdmin.htm

    Tuesday, September 25, 2012 1:47 PM
  • Hi Oliver

    Your tool is great, thank you a lot for giving it to the public audience!

    I found one bug: the application does not accept the login in the form DOMAIN\logon - it reports "the specified username or password is invalid". Using logon@long.domain.name works fine. Is it possible to correct the application to accept DOMAIN\logon names?

    David Leska

    Wednesday, October 31, 2012 12:10 PM
  • Hey Oliver,

    Thank you very much for this fantastic solution you have provided for this problem. As previously suggested, the option to have a "System Unlockers" group that was queried instead of the default "Administrators" group is one that would be much more suitable to our environment.

    I got ambitious and grabbed your source data to have a look to see if it is something I can manipulate to do what we need; however, I am not very good with C++ and am a bit overwhealmed with the code.

    Can you please advise if there are some simple changes we can make to this work for us?

    Hope you can help, thanks in advance,


    • Proposed as answer by Rense Prakken Monday, March 18, 2013 3:18 PM
    • Unproposed as answer by Rense Prakken Monday, March 18, 2013 3:18 PM
    • Proposed as answer by Rense Prakken Monday, March 18, 2013 3:18 PM
    • Unproposed as answer by Rense Prakken Monday, March 18, 2013 3:18 PM
    Tuesday, November 20, 2012 1:17 AM
  • Hi Oliver,

    What GMat said is also my question.
    Could you create something that everyone can force logoff?
    I'm working on a primary school en would like if the students can logoff others that has forgotten to logoff.

    I don't like to create a user that have local admin rights...

    Hope you can help and thanks in advance,

    Rense Prakken

    Monday, March 18, 2013 3:18 PM
  • Hi Oliver,

    What GMat said is also my question.
    Could you create something that everyone can force logoff?
    I'm working on a primary school en would like if the students can logoff others that has forgotten to logoff.

    I don't like to create a user that have local admin rights...

    Hope you can help and thanks in advance,

    Rense Prakken

    Friday, April 5, 2013 11:53 AM
  • The area of interest is in the file CSampleProvider.cpp at line 394. In my verison of the code, this line reads as

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Admins();

    You can try to change that to

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::PowerUsers();

    to allow all members of the PowerUsers group to unlock. Alternatively, if you want anyone to be able to unlock, change the line to

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Users();

    This allows all members of the "Users" group (which by default should be any User) to unlock a machine. I don't have the required testing environment anymore, so i cannot make these changes myself, sorry.

    Thursday, May 2, 2013 9:15 AM
  • For those confused, the file with that line of code is CSampleCredential.cpp, not CSampleProvider.cpp.
    Thursday, June 27, 2013 6:28 PM
  • We use PSEXEC from pstools to log users off of PCs.  The following command must be run from a domain administrator account.

    "psexec.exe \\%computername% CMD"     --This opens a command line for the remote system that is locked.
    "query session"     --This displays active sessions. (ie. user logged in)
    "logoff #"     --This will log out the specified session. (# = number of users session)

    Wait about 10 seconds and have the user try to log in again.  Works 99% of the time in our enviroment.

    Wednesday, August 7, 2013 11:30 AM
  • I get the following error when compiling again:

    CSampleCredential.cpp(16): fatal error C1083: Cannot open include file: 'atlstr.h': No such file or directory

    Please Could you help me?

    I 've the blsAdmin string chanced.

    Thursday, August 22, 2013 2:17 PM

  • Wondering if either GMat and Rense or anyone was able to get it working with other than admin users?

    We're an elementary school with 500 users and 150 computers; split 50/50 between XP and Win7 Pro. We're also brand new to AD, and this locked-screen business on the 7 machines is giving us major headaches. We just need a simple way for a user to be able to log off a locked user who walked away from the machine. This isn't a high-security environment and unsaved work is not an issue. These are kids, on web sites primarily. 

    Pulling power isn't a viable solution. We also don't have many admin users, with good reason, so there just aren't dedicated IT-capable employees at the ready to do this all day long. 

    We don't have the budget for Unlock Administrator, regrettably. I get that adminunlock would be perfect, but has anybody modified for it all users, as below? Much as I like to do very minor hacking, I don't Notepad will work here. ;)

    bIsAdmin = groupSids.GetAt(i) == ATL::Sids::Users();

    Hard to believe there isn't a policy available for this by now. Many thanks for any suggestions! 


    Thursday, December 12, 2013 10:43 PM
  • I would schedule two tasks in group policy.

    First one would be set to only run when the computer has been idle for 15 minutes and would call a batch file that contains the following command "rundll32.exe user32.dll, LockWorkStation" 

    Then the second one would only run when idle for 2 hours and would call shutdown.exe /L /F.

    Simple. Good Luck.

    Friday, December 13, 2013 1:02 AM
  • Awesome, works for me.
    Thursday, April 17, 2014 11:45 AM
  • On sourceforge is someone who combined your solution with another project from paralint.com to a working solution! This gives a domain user the ability to logoff another user by entering his own login name and password. The project name on sourceforge is: userunlock

    Tuesday, May 6, 2014 7:42 AM
  • Hi there i am trying to get this downloaded and the links are not working!  Can you please tell me where i can get this from?

    Many thanks

    Friday, July 11, 2014 11:09 AM
  • I was able to get this working by modifying the code to point to authenticated users rather than Administrators. This does mean that anyone can log anyone off these machines where this DLL is registered. I remember it being a pretty nifty solution at the time and it is something that we are still using in our customer service centres today. This was two years ago now, so please don't ask how I modified it, but I have the source files here if still required.




    Wednesday, September 10, 2014 11:40 AM
  • GMat

    Would you happen to have the 64 Version that allows power users to unlock the workstation. The 32bit version you posted works great.


    Thursday, December 11, 2014 6:01 PM
  • You can change the settings via Local Computer Policy or via GPO ;)

    Computer Configuration -> Administrative Template ->System->Logon

    Hide entry points for Fast User Switching
    just set 


    IMHO, AFAIK, etc

    Monday, June 1, 2015 4:31 PM
  • Hi i am computer Analyst here the trick

    click Start > Run > type regedit.exe and hit enter. ****

    Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

    Create a DWORD (32-bit) Value named HideFastUserSwitching (right-click on the right side of

    the editor and select New > DWORD(32bit) Value. DO NOT CREATE DWORD 64 bits*

      Set the Value data for HideFastUserSwitching to 0.

    Exit Regedit and reboot the machine.

    A Switch User button will appear after you lock the computer

    If you can’t create a key : Right click on regedt32 (regedit) and run as admin

    You can locate regedit in Windows/ /System32

    Wednesday, August 5, 2015 8:20 PM
  • Hello, I'm in the same deal. I have Read the entire thread, clicked everything and everything but It's not clear. The link listed in the post I'm replying to (still has skydrive..... So I changed it to onedrive... And I got it to redirect to the proper file download) I clicked it and downloaded the files and there was not .bat files. I looked at it all and I'm not sure where to place the files... 3 Things - Can I have a new download for the proper files or the script for the install locations - Where are install locations to put the DLLs, etc. - What is the software needed to run the software and can the software be installed "stand alone"
    • Proposed as answer by maucb Saturday, January 16, 2016 5:40 PM
    • Unproposed as answer by maucb Saturday, January 16, 2016 5:41 PM
    Thursday, September 24, 2015 2:40 AM
  • This ^^^^ Works freaking Great! Thanks!
    Friday, January 15, 2016 3:25 AM
  • I found in another discussion the solution, but it will require you to adjust it prior to use, I mean, you will need at least to connect to the Win7 session with your account (supposing you are a Win7 administrator´s group member).

    ***(need to be executed with administrative privileges)***

    start==>Run "secpol.msc"
    Navigate to Local Policies==>Security Options
    Find "Interactive Logon: Display User Information when Session is Locked"
    Change to "User display name, domain and user names"

    Saturday, January 16, 2016 5:45 PM
  • Wednesday, March 30, 2016 8:19 AM
  • Hi GMat,

    Is is possible to get the source files from you?  Were you able to make it work for x64?  I'm especially interested in the X64 version where any user can unlock.


    Wednesday, April 13, 2016 2:02 PM
  • David,

    Is it possible to get a version where any user can unlock?  especially an x64 version.


    Wednesday, April 13, 2016 2:04 PM
  • Hi,

    I want you really to thank you this solution.

    Please, can you help me to adapt this solution to Windows 10?

    It should be marvelous.


    Wednesday, April 20, 2016 9:47 AM
  • Im done!

    it works perfect also in windows10


    Wednesday, April 20, 2016 11:13 AM
  • Did you ever get a 64bit Win 7 non admin user version of this by any chance?


    Thursday, November 17, 2016 3:14 PM
  • So I would love a Win7 64bit version that will let a regular domain user use this. I found a 32bit version but we recently converted to 64bit. :(


    Thursday, November 17, 2016 3:17 PM
  • Hi oliver,

    thank you a lot for your admin unlock solution..it really work great !

    I'm coming to you so maybe you can help me out (i'm just a noob in C++), in my environment, we always have users that leave a locked computer and within the session there is an active virtual box session.

    We developped a script that properly shut the virtual computer but once the main computer is locked, my users usually force a shutdown by holding powerbutton.

    Is there a way to modify your adminunlock to just run a script once we click on it ? my goal is to have the same as your admin unlock just called "Unlock" that runs my script that shut properly all the sensitives programs and then log off the user ...

    thanks in advance

    Wednesday, December 14, 2016 10:13 AM
  • Wow, this thread has been running for a long time. I've read some pretty new questions and recently came around to revisit and improve my code.

    The new files are stored in my OneDrive: https://1drv.ms/f/s!AKUmxRQUg2OTaQ

    Only a few things were done to this version of AdministrativeUnlock:
    1. The Username can now be type in using the "DOMAIN\USERNAME" as well as the "USERNAME@DOMAIN" formats.
    2. You can set the SID of the group you want to be authorized to unlock Windows by setting the the REG_SZ registry key "HKEY_LOCAL_MACHINE\SOFTWARE\AdministrativeUnlock\AuthorizedGroup_SID" to the SID of the group you want. If you want "Power Users" instead of administrators to be able to unlock the machines, you fill in "S-1-5-32-547", for "Users", that would be "S-1-5-32-545" as the value for this Key. You can also use SIDs of your domain as a value. An easy way to find out the SID of a Domain Group is using the Powershell Command "Get-ADGroup <GroupName>".
    If no Group with the given SID is found, AdministrativeUnlock falls back on using the local Administrators group.
    3. The error message a user gets when he does not belong to the authorized group mentions the authorized group so it is more clear as to what kind of access right the user misses.

    The Installation procedure is still the same. Use "Run as Administrator" on the .cmd-File corresponding to your architecture and you're set.

    To adress a few of the feature requests that aren't built into the new version:
    .) Run a script instead of just logging off the user
    I'm sorry, but you're proposing to run a script in the context of the currently logged on user (you want to modify his session), so that's not only out of scope of an Unlocker, it's a major security risk. I'd strongly advise you to not do that.
    .) Automatically log on the unlocking User
    Without having done too much research on that, i couldn't get that to work.

    Known problems:
    - for unknown reasons, sometimes you incorrectly get an Authentication Error using the DOMAIN\USERNAME format. I have no idea where that problem comes from, trying again (sometimes a few times) without changing Username or password will result in it working.
    • Edited by Oliver F Thursday, September 28, 2017 12:14 PM
    • Proposed as answer by Oliver F Thursday, September 28, 2017 12:34 PM
    Thursday, September 28, 2017 12:12 PM
  • Thanks so much for the update!

    Quick question though...would it be possible for you to create an "OLD" folder or something on your file share and re-post the original source code? I'd like to verify my existing DLLs are matching. Thanks!

    Monday, January 22, 2018 9:56 PM
  • Oliver,

    I've set the value of the key "REG_SZ registry key "HKEY_LOCAL_MACHINE\SOFTWARE\AdministrativeUnlock\AuthorizedGroup_SID" to the SID  "S-1-5-32-547" for "Users" and when attempting to unlock it is still defaulting to the built in Administrators group only. Am I missing something?

    Has anyone been able to get this to work with users that aren't a local admin?

    Tuesday, October 9, 2018 2:32 PM
  • -547 is "Power Users"

    -545 is "Users"

    Wednesday, March 20, 2019 3:31 PM
  • Oliver, is there a version available for Windows 10 1903? The linked https://onedrive.live.com/?id=9363831414C526A5%21105&cid=9363831414C526A5 does not work on 1903, there is no new credential provider to be seen.
    Tuesday, September 3, 2019 7:53 AM