Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

local security policies... 1

Status
Not open for further replies.
jay9333

jay9333

IS-IT--Management
Dec 5, 2003
50
US
In my workplace we just recently stripped all our users of administrative rights. Of course we get the usual complaints of "I can't install my [insert ad-ware bundle programs] anymore". But we also have gotten some legitimate complaints as well.

One complaint is that some users leave their computers for good while logged in. Then our other users can't unlock the computer or log the first user off because they don't have administrative rights. We lock computers after 10 minutes, but we don't want to automatically log off our users after a certain amount of time because we've deemed that would not be good for the type of work our users do. So as it is, our users are just pulling the plugs on the machines when this happens.

Can you suggest a good work around. I'm not aware of any way to give normal users the right to log other normal users off. Is this possible?

Another thing my users would like to be able to do is to turn their wireless networking on and off depending on where they have their notebooks. Any suggestions for workarounds for these problems or places I could look around would be appreciated. The "log off" problem is the more important of the two.

Thanks,

Jay9333
 
Sort by date Sort by votes
Thanks for responding. What do you mean by "use a screensaver"? I don't think Domain authentication works because the whole problem is that our users aren't administrators, so when they attempt to authenticate they are authenticated as standard users who don't have rights to log others off (and therefore the workstation remain's locked by the previous user).

Also, as far as disabling wireless... the problem is that users without administrative rights aren't able to disable or enable wireless. IOW, only administrators can right-click the notification tray icon for the wireless connection and select 'Disable'. I think I've solved this problem though, simply by adding all my users to the Network Configuration Operators Group. This gives them the ability to enable or disable wireless as they please, but still restricts them from being administrators (so they can't install mal-ware on our computers).

The first problem remains though. I can't figure out a way to let normal (non-administrator) users log off other users who have locked the computer. Normal users don't have the rights to do that, but I wish I knew how to give them those rights. Does that make sense?

bcastner wrote:
Q#1: Either use a screensaver or Domain authentication:

Q#2: Right-click the notification tray icon for the wireless connection and select 'Disabled.'
 
Upvote 0 Downvote
You are correct that forcing domain authentication is not going to help in this instance.

But replacing the locking mechanism with a third-party utility is a valid option. You can specify a generic username and password that is irrespective of the NT rights assignments from the OS. For example,
 
Upvote 0 Downvote
I don't think that's going to work either, because we also don't want our users to be able to access eachother's accounts. If they can all unlock eachother's computers, then they can all get into eachother's accounts. We just want to give them the right to shut down the computer, not to actually unlock it.

~Jay9333

bcastner wrote:
You are correct that forcing domain authentication is not going to help in this instance.

But replacing the locking mechanism with a third-party utility is a valid option. You can specify a generic username and password that is irrespective of the NT rights assignments from the OS. For example,
 
Upvote 0 Downvote
I think your only choice at this point is to consider a remote shutdown command. At the default logon screen lock you can use Ctrl-Alt-Del to get a shutdown prompt, but it will actually require a new logon by the user.

XP can do this through the MMC, or use sysinternals freeware psshutdown:
 
Upvote 0 Downvote
So as it is, our users are just pulling the plugs on the machines when this happens".

"We just want to give them the right to shut down the computer, not to actually unlock it".

Shutdown: Allow system to be shut down without having to log on.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


Determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.

Defaults.

Enabled on workstations.
Disabled on servers.


 
Upvote 0 Downvote
Thanks Linney. Actually, we have the "allow shutdown at log on" enabled on all our workstations. It doesn't solve our issues because our users log into a Win2K domain. Fast User Switching is not possible in that environment, according to microsoft. So users who attempt to unlock a computer aren't actually "logging on". They are just trying to unlock. The "shutdown" option is only there when users log on (ie, when no one else is logged in at the time). Only one user can be logged in on a computer at a time in a domain, so in order for the second user to logon (and have the "shutdown at log on" option) he needs to be able to first log off the user who locked the computer. I've found no way to give users that ability.


Linney wrote:
"So as it is, our users are just pulling the plugs on the machines when this happens".

"We just want to give them the right to shut down the computer, not to actually unlock it".

Shutdown: Allow system to be shut down without having to log on.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether a computer can be shut down without having to log on to Windows.
 
Upvote 0 Downvote
I don't think we want our users calling us to do a remote shutdown every time someone leaves a workstation locked... that could turn into a real resource-sucker. And as far as logging off the user at the logon screen, see my response to linney just above this one. Thanks again for your thoughtful input though.

~Jay9333

bcastner wrote:
I think your only choice at this point is to consider a remote shutdown command. At the default logon screen lock you can use Ctrl-Alt-Del to get a shutdown prompt, but it will actually require a new logon by the user.

XP can do this through the MMC, or use sysinternals freeware psshutdown:
 
Upvote 0 Downvote
Thanks Dollar. We don't want to do the "auto-logoff after a certain amount of time" because we didn't want users who legitimately have left the station for a few minutes to lose their work. But the link you provided allows for not logging off users who have unsaved work open. I suppose users could still walk away with unsaved work open, and we'd have the same problem. But if no better alternatives come up, this may be what we go with for now.

Thank you,

~Jay9333

Dollar wrote:
Got another link for you...

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jlh1
  • Locked
  • Question
Baseline Security Analyzer
Replies
1
Views
68
DaveSolan
DaveSolan
goombawaho
  • Locked
  • Question
Microsoft Security Essentials Prompting To Install Updates
Replies
3
Views
96
mikrom
mikrom
BobMCT
  • Locked
  • Question
Anyone have advice with permissions error on local NAS access from Windows 10?
Replies
6
Views
123
Rick998
Rick998
colinmitton
  • Locked
  • Question
Local Admin on Windows 10 in a domain 1
Replies
6
Views
108
hairlessupportmonkey
hairlessupportmonkey
Leozack
  • Locked
  • Question
Security success & system eventlog spam
Replies
0
Views
96
Leozack
Leozack

Part and Inventory Search

Sponsor

Back
Top