Jump to content

Unlocking a locked workstation?


VaKo
 Share

Recommended Posts

As part of my job I have to do desk side support, and a trend I've noticed is people phoning in a problem, locking there workstation and leaving for the secret break room IT staff cannot find. I have domain admin privileges so I can just log a user out, or reset their password and login as a user. What I was wondering was, would it be possible to use my domain admin account to log into a locked user account as the user without disrupting there session. My basic research indicates that this isn't possible, but have I missed something?

Link to comment
Share on other sites

I have about 500 machines I look after (as part of a team) and a good amount of those are scattered between london and karachi in remote offices or with road warriors. We've not gone towards a vista deployment despite some of us pushing for trials. Its more about being able to walk upto a locked machine and unlock it with my details.

Link to comment
Share on other sites

What I was wondering was, would it be possible to use my domain admin account to log into a locked user account as the user without disrupting there session

Hey Vako,

If I'm reading this correctly, probably not, you want to know if there is a way to log into a locked user's account profile as the user, that's presumably locked out ?

since you have domain admin on the machine you can use an asynchronous remote control app, kind of like RDP.

There are a few ways to remotely enable RDP on boxes on your LAN.

This way, it gives you access to the box without the user , who is logged in, having any idea you are connected.

Link to comment
Share on other sites

This might be a little offtopic, but you say that XP only supports one user logged in at a time? I mean, I know it's nothing like UNIX/Linux capabilities, but isn't there a switch user button next to log out on XP?

Just a though :mellow:

USBHacker

EDIT;

Just been thinking about it, probably not what you want, but you could replace the StartKey+U with something that allows you access...

Or there is a way to do Rainbow Tables over the domain... so maybe that method.

Though I don't know any of these methods will go against your policies or whatever... but, well, a suggestion is a suggestion!!! :P

Link to comment
Share on other sites

If you join XP to a domain you have a username/password login box and not the user selector screen you would see on XP by default.

Cracking passwords would get me fired faster than it took to write this post...

Link to comment
Share on other sites

1. If you join XP to a domain you have a username/password login box and not the user selector screen you would see on XP by default.

2. Cracking passwords would get me fired faster than it took to write this post...

1. Ah... okay, are you sure you can't change this with Administrative Templates in gpedit.msc?

2. LOL :lol:.... does that include replacing Start+U with cmd?

Link to comment
Share on other sites

Hmm... didn't know that!

I'll have to try and find a third-party tool that can do that on a domain :rolleyes:

really this is a non-issue.

There are two ways around this. First if you are running windows server then you should be using active directory to push any changes out to machines and depending on your server setup it may take a few hours for the changes to sync accross the domain.

The second way of getting around this is to make sure the person doesnt lock thier computer.

I found this on some site.... not the prefered way to do it but an option. It would be better to do it using the GPO editor.

If random users chose to lock the system (by pressing Ctrl+Alt+Delete and clicking the Lock Computer button), an administrator would need to manually unlock the system. To avoid this, the Lock Computer button can be disabled.

To disable the Lock Computer button, open Regedit and browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\

System and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\

System and create a new REG_DWORD value in each called DisableLockWorkstation. Setting this value to 0 will allow the Lock Computer button to be used, while 1 will disable it.

and as a final thought... what are you doing to these computer that you need to unlock it anyways? Most tasks can be like i mentioned before updated via a logon script or the GPO editor. Those are skills you shoulld work on. If you dont have access to that on your domain then you probably shouldnt be doing any kind of computer unlocking anyways... Also I like to run ultra vnc over the domain which can be setup to use mslogon if you want... but either way its alot handier then RDP for managing remote desktops without the user having to be logged out and you dont have to get out of your seat.

Link to comment
Share on other sites

Being that i read it correctly -- how do you presume to log into an account using an account that is locked out ?

at any rate, i know what your objective is and you should look at the following product:

www.dameware.com

i mentioned using an asynchronous app, i meant synchronous, so this way you can access the actual desktop of the locked user..

Link to comment
Share on other sites

Its very simple, a user calls me and says "I can't spell check in dutch/add this printer/open this file/sap is weird/my monitors are the wrong way around/i can't save my word document", something I can't do remotely or in a different session, or I don't want to kick them off and loose any open edits, then they lock there computer (something we're not going to disable for obvious reasons) and wander off. I then come up and cannot use the machine without ending there session. What I want to be able to do is use my domain admin account to unlock their session, do whatever needs doing, and then lock it so when they come back, all they notice is whatever was wrong isn't wrong any more. Scripting can solve a lot of these tasks I know, but this would save me a little time for the random things it can't.

Link to comment
Share on other sites

Its very simple, a user calls me and says "I can't spell check in dutch/add this printer/open this file/sap is weird/my monitors are the wrong way around/i can't save my word document", something I can't do remotely or in a different session, or I don't want to kick them off and loose any open edits, then they lock there computer (something we're not going to disable for obvious reasons) and wander off. I then come up and cannot use the machine without ending there session. What I want to be able to do is use my domain admin account to unlock their session, do whatever needs doing, and then lock it so when they come back, all they notice is whatever was wrong isn't wrong any more. Scripting can solve a lot of these tasks I know, but this would save me a little time for the random things it can't.

I don't think there's a good tech way to solve this problem. It seems like the problem would solve itself the first time they're busy with something, call you, walk away, and come back to see you hadn't done anything waiting on them.

I mean, if they're calling you for help, can't you just tell them to wait for you to get there or to make sure their screen isn't locked when you arrive?

Link to comment
Share on other sites

I don't think there's a good tech way to solve this problem. It seems like the problem would solve itself the first time they're busy with something, call you, walk away, and come back to see you hadn't done anything waiting on them.

I mean, if they're calling you for help, can't you just tell them to wait for you to get there or to make sure their screen isn't locked when you arrive?

actually there is a good way to fix all this. Like I had mentioned before logon scripts and using the GPO editor to manipulate group policy's.

then use Ultra vnc to remote control if need be....

even if you installed ssh you could run scripts to fix whatever is wrong with thier setup.

Link to comment
Share on other sites

  • 5 weeks later...
As part of my job I have to do desk side support, and a trend I've noticed is people phoning in a problem, locking there workstation and leaving for the secret break room IT staff cannot find. I have domain admin privileges so I can just log a user out, or reset their password and login as a user. What I was wondering was, would it be possible to use my domain admin account to log into a locked user account as the user without disrupting there session. My basic research indicates that this isn't possible, but have I missed something?

There is a third party tool that will allow you to set which users can unlock the system (either closing the session or not). It is called Unlock Administrator and you can find more information about it at Unlock Administrator

I have used it for about a year now and it works as expected.

mArtY

Link to comment
Share on other sites

While I have a tremendous amount of leeway regarding the content of the images my company uses, anything which deals with security settings like this application must be reviewed before its deployed. I.e. changes must be controlled. If the senior admin says no to this, as happened with iPhones + Exchange, then its a no go. So basically I have to run some trials and then make a buisness case for this software being purchased.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...