Users logging off other users

[Guest]

I'm using a 2000 SP4 Server using XP SP2 Professional clients. When staff
logon, their desktop locks after 5 minutes of inactivity. A pupil however can
enter their username and password and force the staff user to logoff.

How can I enforce a policy whereby pupils cannot force a staff user to
logoff and that only an administrator or the user themselves can unlock the
workstation.

Staff and pupils are currently not part of the administrator group, but only
their own group and domain users.

Many thanks

 

[Steven L Umbach]

Exactly how are they causing the staff to logoff?? That would either require
local administrator credentials or they are simply rebooting the
omputers. --- Steve

 

[Guest]

Yes they are setup as local admins through the MMC console. This is so their
desktop appears correctly. Is there no way I can deny pupils to logoff staff?

 

[Curtis Clay III [MSFT]]

Hello Mike,

If your users are local admins they will be able to control the
workstations regardless of policy or other mitigations. You may need to
address the issue that causes thier desktops to not display properly if
they are not admins. We ca assist if you could provide more details.

What exactly does not display properly if they are not local admins?


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven L Umbach]

As long as they are local administrators there will be no technical way to
prevent them to logging off other users. The solution would be to look at
ways to not make them local administrators. Often applications can have
permissions modified for ntfs or the registry to allow users to run non
Windows 2000 compliant applications. Maybe power users would also work for
the user? If there seems to be no way then implement a user policy that
restricts what a user can do. You can implement auditing of account
management and logon events to see exactly what users are doing what if you
need to enforce written user policy. If you do implement written user policy
have each user sign a copy for their files and give them a copy for their
personal possession. --- Steve

 

[Guest]

Thank you for both your replies! On a few workstations I moved the Student
group from local admins to local power users - and this did stop pupils
logging off locked staff workstations. However, the pupils desktop and start
menu is controlled via Folder Redirection in Active Directory to standardise
the appearance and applications available to pupils.

I have specified certain folders and shortcuts to appear and want pupils to
use the classic start menu. When I move the student group to the local power
users group, the start menu appears as the new XP one (just like Windows
Server 2003's start menu) and the incorrect icons are appearing on the
desktop.
By returning the student group back into local admins - the start menu and
desktop appear correctly. Many thanks!

 

[Steven L Umbach]

Hi Mike.

It sounds like you have permissions problems with folder redirection. Check
the permissions to make sure that the user has proper permissions to the
items in question. I have not used folder direction a lot - particularly
with start menu. You might want to post in the win2000.setup_deployment
group explaining your problem to see if anyone can help you over there with
correct permissions or other alternatives. . --- Steve