5

Is it possible to delegate the right to log other users off? I'd like to give users the ability to log another user off of a computer, but I'm not willing to make everyone administrators to do so. We are currently on an 03 domain but are in the process of upgrading to 08. I know I can create a scheduled task to log the user off after a certain idle time, but don't really like that solution either.

I'm not talking about servers. I'm talking about standard client PCs (XP and 7) out in the house and I want average users to be able to log other average users off.

Shawn
  • 329
  • 2
  • 14
  • Have you had a look in the Terminal Services Configuration section of the TS? – Bart De Vos Jan 24 '12 at 14:28
  • I'm not talking about a Terminal Server. :) – Shawn Jan 24 '12 at 14:48
  • Are you talking about users logged into the servers? If not, what OS are you / will you be running *on the clients*? – Harry Johnston Jan 25 '12 at 02:49
  • XP and 7, updated question. – Shawn Jan 25 '12 at 14:30
  • Windows 7 supports user switching even when the machine is joined to a domain; this mitigates the problem somewhat (but does not eliminate it completely, because there may be applications left running in the other session which block some resources). – Sergey Vlasov Jan 25 '12 at 14:40
  • Yes our PCs aren't good enough for user switching to be an alternative to this, and it is deployed in VERY limited settings. 95% XP, I would like to get it to work on both but XP is the priority. – Shawn Jan 25 '12 at 16:19
  • On Windows 7 (as a domain member, in the default configuration) anybody can log the current user out by rebooting the machine. Not ideal, but FYI. – Harry Johnston Jan 26 '12 at 01:14
  • On Windows XP there is nothing stopping third-party or homemade software from providing an option to log out the current user. One approach would be to use a custom GINA, though I think there would be easier ways. Unfortunately I don't personally know of any existing software that does this, but you might like to look around. – Harry Johnston Jan 26 '12 at 01:17

3 Answers3

2

This replacement GINA should work for XP: http://www.paralint.com/projects/aucun/

Windows 7 I should be able to create an "on idle" task to log off the users after a certain idle time, which will at least unlock the computer eventually.

Shawn
  • 329
  • 2
  • 14
1

Had the same problem as you. It seems like a third party application called Unlock Administrator that lets you do just that. You can set exactly which users (even standard users) can unlock a system. There is an option to log off the user instead of just giving them access to the session. There is a separate version of XP and Vista/7

Tony Fiore
  • 11
  • 1
0

The simple answer is "No". There is no way to do this without giving them local administrator privileges.

The only two solutions that I'd know of that might help you here are the following:

You could prevent them from locking the workstations in the first place. Under User Config>Administrative Templates>System>ctrl alt del options you can remove "lock computer. Of course that might rise some security concerns...

On Domains you can enable Fast User Switing which may help maneuver around the Problem quite well.

juwi
  • 573
  • 5
  • 14