Unlocking Workstations

  • Thread starter Thread starter Alan Coleman
  • Start date Start date
A

Alan Coleman

Hi,

I am having a problem with the user population at my organization. I'm
running a pure Windows 2000 Server/Workstation environment with active
directory. Currently, I have a policy enabled that makes it so that the
workstation locks after 15 minutes of inactivity. This is because we have a
lot of sensitive medical/client information on the computers and we need to
keep it protected. My users have a tendency to walk away from their
computers and just leave them up, aiding the possibility of non-authorized
people to sit down at their computers and have complete access to network
files. Automatic workstation locking seemed to be the best solution for
this.

However, there is a problem. When a workstation locks itself, only the user
or an administrator can unlock the workstation. This means that when
someone walks away from their machine and just leaves themselves logged in,
no one else can use it. This frustrates users because now users can't hop
onto a machine quickly to get to their own files or email. So now my users
give out their passwords to other users "Oh, you need to unlock my machine,
here my password is..." or even better, they tape their passwords to their
monitors so that anyone can get into the machine at any time, thus defeating
the purpose of security to begin with.

What I would like to do, to solve this problem, is have regular users be
able to unlock workstations, just like administrators can do. I don't see
this as a security risk because when someone other than the user unlocks a
workstation, Windows logs the original user out, so you can't get to their
files or anything else. But it seems that there is no policy option of any
kind that would allow me to give normal users the ability to unlock a
workstation. It also appears that the only user level able to unlock
networked workstations is a Domain Administrator. I had thought about
creating an account called "unlock" that users could use to unlock other
workstations, but there is no way I can have a generic domain administrator
account on my system.

There must be a way to solve this dilemma. Any suggestions would be helpful

--
 
Hi !

I know there is a screen saver that log-off users .... Thus, if you
configure a GPO with this screen saver and a time of 15 minutes.... you will
have a solution !!!

Sorry, but i can't direct you to a web site to download this screen saver
because I don't have any idea where you can download it !

If you find it, let me know !

Hugo
 
Back
Top