How to prevent admin (or admin user) from signing on when I am on and station is locked ?

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

I had this happen to me today and It's f-ing annoying !!!

I had a pile of apps open and locked my workstation only to come back to my
desk and find out that some admin force me out so he could log in to install
some useless crap. This is on a domain network, so I can't just change the
admin password since there are countless ids with admin rights.

I couldn't find anything obvious in secpol.msc
 
Mark said:
I had this happen to me today and It's f-ing annoying !!!

I had a pile of apps open and locked my workstation only to come back to my
desk and find out that some admin force me out so he could log in to install
some useless crap. This is on a domain network, so I can't just change the
admin password since there are countless ids with admin rights.

TBH, I doubt that you can. The administrator is the holder of the highest
rights on the network/machine. If you do manage it, then you are probably
just asking for more trouble of a real (rather than computer related) sort.

It sounds like your company just needs more policies preventing
administrators from doing that sort of thing without the user's
permission/knowledge. Maybe you could let your superiors know how much work
was lost from their actions?

JW
 
Mark said:
I had this happen to me today and It's f-ing annoying !!!

I had a pile of apps open and locked my workstation only to come back to my
desk and find out that some admin force me out so he could log in to install
some useless crap. This is on a domain network, so I can't just change the
admin password since there are countless ids with admin rights.

I couldn't find anything obvious in secpol.msc

You are at the mercy of the admin. I myself have worked as a contractor for
a UK bank and have been in the situation where some request has been made to
upgrade a user of a number of users to a new version of a particular piece
of software that request usually comes from the user themselves or their
supervisor.

When you go to their desk you find they screen locked really frustrating esp
if their desk in a remote area - I was given enterprise admin rights within
the first day of my contract by the Desktop Support Supervisor in this
bank - the "Office Automation Manager" who just basically oversees the
running of the dept knows a lot about scripting is usually MCSE drinks lots
of coffee and goes to lots of meetings advised against this - he would
wouldn`t he ?

There was so much crap to do and often people just nipped out that on a few
occasions I got so fed up with the hold ups that I took the risk and logged
people out when they`re machine was in a locked state just to install some
little thing that needed doing in order to clear the helpdesk workload. We
also used to use VNC on the network to remote control machines in order to
install things one time I accidently remote controlled a senior IT persons
machine in another building he was pretty surprised when he saw his mouse
pointer moving by itself and enquired about the security.

Of course there was none our side of the network routed to theirs with no
firewalling or anything and therefore we could install VNC with a remote
install script anytime we wanted - of course when said senior IT person
phoned the office automation manager of the dept I was working for to
enquire about this - there was some red faces I got a ticking off.

From then on my relationship with the top man went downhill and it got a bit
silly. It was a situation where the left hand didn`t know what the right arm
was doing and I was caught in the middle - my contract wasn`t extended after
3 months...
 
What about 3rd party software that lays on top of the CTL+ALT+DEL screen that
only I know the password to? This would, obviously, have to come up on a hard
boot as well in the event this was tried.
 
Mark said:
What about 3rd party software that lays on top of the CTL+ALT+DEL screen that
only I know the password to? This would, obviously, have to come up on a hard
boot as well in the event this was tried.

The idea of CTRL+ALT+DEL is that nothing else can sit on top of it. Allowing
such an application would compromise security. AFAIK, Windows NT and upwards
would never support such a piece of software.

JW
 
Mark said:
What about 3rd party software that lays on top of the CTL+ALT+DEL screen that
only I know the password to? This would, obviously, have to come up on a hard
boot as well in the event this was tried.

I know the type of software your thinking of - it encryptes the hard drive
and at boot up your prompted for a password in order to load the operating
system - this is so that if the hard drive is removed it cannot be put into
another system and the information extracted.

However once you`ve entered the password prior to the operating system being
loaded thats it authentication check passed - its main purpose is too
encrypt the hard drive in case its removed and this can only happen when the
system is off obviously.

Just try to save your work before leaving your workstation in future.
 
The idea of CTRL+ALT+DEL is that nothing else can sit on top of it. Allowing
such an application would compromise security.

I see it as an enhancement to security. How would it compromise it as long as
an administrator installed the software ?
AFAIK, Windows NT and upwards
would never support such a piece of software.

Dunno, but that would be a shame.
 
Greetings --

The computer belongs to your employer, not you. Deal with it.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
I had this happen to me today and It's f-ing annoying !!!

I had a pile of apps open and locked my workstation only to come back to my
desk and find out that some admin force me out so he could log in to install
some useless crap. This is on a domain network, so I can't just change the
admin password since there are countless ids with admin rights.

I couldn't find anything obvious in secpol.msc

Speaking from an admin perspective...stop your whining.

There are times when patches have to be applied. I can't tell you how
many times our IT department announced we'd be doing upgrade patches
in XX office on such-and-such date around XXX-XXX time frame. We'd
get there and find computers locked, or somebody sitting there telling
you "wait a minute" and they keep saying that for 40 minutes...the
list goes on.

We finally just gave up and announced that when we say we are coming
to do our work, we are going to do our work. If you have your
terminal locked and are nowhere around, you better have any work saved
because we are kicking you off. If you are on the terminal and refuse
to leave, a call to the administrator fixed it - they took over the
machine remotely and logged the user off (to their very shocked look,
I might add - and it was very satisfying to me to see that shocked
look).

What may be "useless crap" to you may be vital security patches or
software that MUST be there for a reason YOU may not understand. Get
over it, and any time you leave/lock your terminal, SAVE whatever you
are working on it - or count on it being gone when you get back.
 
IBM laptops had, probably still have this. I had a system board die on one
of my engineering users. We replaced the motherbaord and walla, the system
wouldn't boot. I forget the exact details, but I know we called IBM and the
only solution was to replace the hard drive. When we asked about retrieving
the data on the drive, we were told that there was positively, absolutely,
without a doubt in the universe, no way of doing so. The user lost years of
work as he was stupid enough to not use his network home directory to back
his data up to. After that, our MIS team went around to *all* systems and
removed the passwords. We also sent out notices on a monthly basis
explaining the method of how to backup their data either on our external zip
drive or by using the network home directories.

--
Posted 'as is'. If there are any spelling and/or grammar mistakes, they
were a direct result of my fingers and brain not being synchronized or my
lack of caffeine.

Mike Brearley
 
I had this happen to me today and It's f-ing annoying !!!

I had to do critical updates on a users PC and he had a
pile of apps open and he locked workstation and I had no
idea where he was or when he would be back and neither did
anyone else in the office, so I had to force him out so I
could do my f-ing job.

Some users think they own the equipment and can do whatever
they want with it. Won't they be soon surprised at the new
software we will be using to scan all the PCs on the Domain
for all the useless crap the users keep installing.
 
Lock the machine in a secure closet and disable remote admin.
 
IBM laptops had, probably still have this. I had a system board die on one
of my engineering users. We replaced the motherbaord and walla, the system
wouldn't boot. I forget the exact details, but I know we called IBM and the
only solution was to replace the hard drive. When we asked about retrieving
the data on the drive, we were told that there was positively, absolutely,
without a doubt in the universe, no way of doing so. The user lost years of
work as he was stupid enough to not use his network home directory to back
his data up to. After that, our MIS team went around to *all* systems and
removed the passwords. We also sent out notices on a monthly basis
explaining the method of how to backup their data either on our external zip
drive or by using the network home directories.

We're moving off-topic here. Boot-up stuff prevents an unauthorized
person from even starting the OS. The OP wants something that sits on
top of the "This computer is locked..." screen, which would have to be
running AFTER the OS has started.

To the OP: unless you bought this computer, and brought it in with
you to work (with your LAN administrator's permission, I hope), then
the system you are using belongs to your employer. They have the
right to do whatever they deem is necessary to keep it running,
patched, and as reasonably secured against intrusion as possible.

So, IOW, shut up and live with it.
 
NobodyMan said:
We're moving off-topic here. Boot-up stuff prevents an unauthorized
person from even starting the OS. The OP wants something that sits on
top of the "This computer is locked..." screen, which would have to be
running AFTER the OS has started.

To the OP: unless you bought this computer, and brought it in with
you to work (with your LAN administrator's permission, I hope), then
the system you are using belongs to your employer. They have the
right to do whatever they deem is necessary to keep it running,
patched, and as reasonably secured against intrusion as possible.

So, IOW, shut up and live with it.

I agree completely with the 'shut up and live with it.' End users can't
imagine our frustration when we go to their systems to patch it and they've
locked their computer. Lets take into account the blaster virus. How many
of us had to run around all over the place to install the microsoft patch on
systems? How many of us found a few locked computers with no user around or
to be found? The patch *had* to be installed as one infected computer could
cause all sorts of problems on the network, so more than likely you booted
the user out and did what needed to be done. I set it up to run in a logon
script and informed my users to reboot, I was constantly running scans to
see who the straglers were that refused to reboot and install it. I then
visited them, told them to save their work (if they were there, otherwise
saved it for them or booted them off if their system was locked). We do
what we need to do.

As far as my getting off topic, I just figured I'd give a peice of info that
was related to the post I replied to. Off topic or not, I would have been
greatful if I had that knowledge before a system board died in an IBM laptop
that had an admin password set on it.

--
Posted 'as is'. If there are any spelling and/or grammar mistakes, they
were a direct result of my fingers and brain not being synchronized or my
lack of caffeine.

Mike Brearley
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top