Allow Administrator to unlock Windows system

Is there a way to allow either the domain administrator or a specific group to unlock screen savers or locked systems in a Windows domain environment?

Here's our usage scenario. We have a mixture of Windows XP and Windows 7 systems. Some of the users access an IBM iSeries via the terminal emulator. When users leave a session open it blocks our day end processes. To fix that we have to access the users computer either by physically going to it or via LogMeIn and log them out of their "greenscreen". We are able to kill the terminal emulator or kill the sessions from the iSeries. However, that's not ideal as it can leave records in the business system locked.

Currently we're maintaining a list of usernames and passwords (bad idea, I know) so that we're able to login and close sessions when the've been left open and their computers have been locked. I'd like people to lock their systems when they step away and a screen saver would accomplish this nicely. However, I do need to be able to unlock those computers if somebody forgets to log out before leaving. Any suggestions?

Update 1: Unfortunately the enterprise app does not respect logout commands and free up the records. I did some research on grawitys comment. It looks like we might be able to use a custom credential provider on Windows 7. Here is a sample for Vista and Windows 7. We could use a custom GINA for Windows XP.

dkwiebe

Posted 2012-02-22T22:35:57.820

Reputation: 428

1Surely there must be a way to close the sessions from the server end? – Harry Johnston – 2012-02-22T23:18:53.287

1Have you tried using pskill to forcibly close the terminal emulator application on the client machines? – Harry Johnston – 2012-02-22T23:19:41.193

1I updated the question. We would prefer to not just kill the sessions as it leaves records in the system locked. This is an issue with the application that the vendor doesn't seem interested in working with. – dkwiebe – 2012-02-23T04:32:03.413

It's possible to force-unlock a Windows XP system given a certain magic command; the login system has been changed too much in Win7 though. – user1686 – 2012-02-23T10:57:15.217

Answers

Have a look at Unlock Administrator. This program lets you assign what user, or group of users is allowed to unlock systems. The users do not need to be admins. You can also set which users can unlock without closing the session and which can unlock but log the user off. The unlocking events can be logged for accountability.

Tony Fiore

Posted 2012-02-22T22:35:57.820

Reputation: 46

This program would do what we need for XP. They claim to have a beta version for 7. I'll take a look at it. – dkwiebe – 2012-02-23T18:14:00.357

I have already been testing the Windows 7 version. It works as advertised but there are a number of features (such as running scripts when locking and unlocking) in the XP version that are missing in this version. – Tony Fiore – 2012-02-23T18:57:29.533

It looks like the product is out of beta now. – Tony Fiore – 2012-05-11T15:07:01.337

Any domain administrator can issue a remote logoff of a windows session using logoff.exe. Hopefully your terminal emulator will see the windows logoff and forward the disconnect so your enterprise app will release the records correctly.

See this page for short tutorial.

logoff <sessionId> /server:<serverName>

Scott Chamberlain

Posted 2012-02-22T22:35:57.820

Reputation: 28 923

We use Blaser WinUnlock in our environment. It's not buggy like Unlock Administrator and much easier to deploy. The latest version works on Windows 10, being that we're a school, it let's us audit what the students are doing if they leave a machine locked overnight or for hours during the school day.

Toni MacArthur

Posted 2012-02-22T22:35:57.820

Reputation: 11