I'm looking for a way to allow regular domain users to unlock locked
workstation, without granting them local admin permissions on the target
computer.
The workstations are being locked because of a screen saver and smart card
removal policy.
The computers OS are Windows XP and they're members of a Windows Server 2003
Active Directory Domain (Native mode).
Can this be done through GPO?

Thanks...

Amihai wrote:
> I'm looking for a way to allow regular domain users to unlock locked
> workstation, without granting them local admin permissions on the
> target computer.
> The workstations are being locked because of a screen saver and smart
> card removal policy.
> The computers OS are Windows XP and they're members of a Windows
> Server 2003 Active Directory Domain (Native mode).
> Can this be done through GPO?

Pretty much the policy would be worthless if anyone could unlock the
computer, so I do not believe there is a way to change it from the default
of "only the user or an administrator can unlock this workstation."

What you could do:

1) Setup an automatic logoff policy after an idle amount of time (we do this
after 20 minutes idle, you are logged off.)
2) Tell the users to restart any machine they are fairly certain no one is
at.

The problem is that either one of those has its drawbacks. We had to create
a special group for a certain level of student to allow for a longer grace
period due to renderings and such, so we had them run an application that
changed the time for them while logged on to 120 minutes. And still, if
some industrious and impatient student decides to reboot the PC, and that
person that WAS on it really was not done, *poof* anyway. It works out with
few incidents, however.. 40,000 potential users, 1,500 computers.

--
<- Shenan ->
--