Windows Thread, Allow staff to unlock workstations logged in as a student in Technical; No that won't work. that will just enable the shutdown button on the logon screen.
18th May 2008, 11:54 PM #16
No that won't work. that will just enable the shutdown button on the logon screen.
18th May 2008, 11:56 PM #17
No that's the problem with using a business OS in education i suppose if it was that easy for non admins then it would be a security concern.
Surely there is a way to allow standard users to unlock workstations using Windows
You say stopping students locking is not an option, why? If you don't mind me asking.
19th May 2008, 12:02 AM #18
Due the number of students wrecking others work. Students will often need to leave there computer. They say it’s a pain to log them off (I can’t blame them really) and will just leave them. We did originally have it set so they can’t lock them but due to popular demand from teachers, students and mainly SLT we allowed this.
To be honest its not to much of an issue us unlocking the workstations. Just would be more convenient for staff to be able to unlock them right away and more convenient for us not having to do it.
19th May 2008, 12:09 AM #19
We had the same issue but in the end it was easier to tell them to save and logoff (depends on how long it takes to logon where you are).
What about picking areas e.g. 6th form and using loopback to add staff users to the admins group, not ideal but it limits the security issue.
19th May 2008, 07:59 AM #20
Can you isolate the group of kids who are leaving their machines locked when they shouldn't (I'm guessing that you need some students to lock their machines but others are doing it out of badness or stupidity).
If so, you could have a group policy which applies to that group of users and prevents them from locking the machine. I'd guess the problem with this is that it happens only after the event and it doesn't stop "bad" pupils from locking the machines of "good" pupils etc.
the other thing I can think of is a web page which would allow a teacher to enter a machine name (or pick it from a list). The web page would use admin level credentials to connect to the machine and log it off.
19th May 2008, 09:09 AM #21
Can you not just tell the staff to keep the power button held in? I know I know, not good.
19th May 2008, 09:32 AM #22
If you delegate the permission for staff to change passwords: Change their password, make a note on their account, and when they come to get their password reset let them know why it was changed and tell them not to do it in the future!?
19th May 2008, 09:44 AM #23
Well reading through this thread I can see there being three options:
1. Although you said it wasn't an option, disallow users from locking their workstation altogether but just a screensaver (easiest option). Pupils should get in the routine of logging off.
2. Add the teacher group only to the local administrators group, however as I already mentioned anything unsaved is lost at logoff.
3. Take a look at delegating teachers control over administering pupil passwords. You could create a custom MMC snap-in although this is probably the most complex method.
Now although locking computers may be popular with pupils, I'm pretty sure the reason it's got out of control is you have loads of machines to unlock everyday (possibly). For the time and hassle involved option 1 would be the way to go, unless teachers are willing to have a go at option 3?
19th May 2008, 09:48 AM #24
How about creating a specific account teachers can use for this purpose?
19th May 2008, 10:07 AM #25
Sounds like a good plan so long as the password is kept secret.
Originally Posted by conehead
19th May 2008, 10:08 AM #26
I'm having a monday moment, how does that help?
3. Take a look at delegating teachers control over administering pupil passwords. You could create a custom MMC snap-in although this is probably the most complex method
Ah in responce to rob_f, i must of missed that post.
19th May 2008, 10:19 AM #27
Not a great way i know but what about an account just for this task, with admin rights and a script which runs in the background and logs the user off again should a member of staff try to log on with them/.
19th May 2008, 05:27 PM #28
Thats what i am trying to avoid
Originally Posted by mrforgetful
That is an option but then it will need reseting again
Originally Posted by rob_f
Good idea. i could either lock down the account, make it so it can't logon any computers (will this actually let them unlock the machine though) or i could create a script to log the right off as soon as they login.
Originally Posted by conehead
That will be the way forward if I canít manage to give teachers the right to unlock machies with there own credentials.
19th May 2008, 06:50 PM #29
19th May 2008, 07:11 PM #30
To be honest, you asked for a more Microsoft way of doing this... letting a "normal" user be able to unlock a desktop goes against the idea of having normal level accounts.
As far as I know, there is no true microsoft way to do what you ask.
If i had to solve this, my first concern would be to NEVER give any other users other than technical staff administrator access. Network nor local. you are just asking for trouble. Sure current staff may be trustful, but what if down the road one member of staff as a paddy or something?
Anyway, if I were to solve this, I'd create a program which would effectivly lock the desktop. Then a member of staff from their end would run another program which would speak to the first and unlock/log off.
But before all that, you need to decide something. Do you:
a) give teachers access to force a logoff but not allow them to simply unlock the user's desktop (this method is by far the most secure, but can result in lost work if it's not saved.)
b) give teachers access to unlock the desktop which would drop them back into the user's account. (This is by far the most insecure method. Personally, I wouldnt even think about it. You are still then depending on the member of staff to save that user's work).
Obviously I dont know anything about your site or situation. But please, for security reasons alone, considure the fact that all you need is one annoyed member of staff (or privileged user) to set the whole thing on fire. It's down to the common question. Security or convenience?
By indiegirl in forum How do you do....it?
Last Post: 16th March 2012, 01:17 PM
By rlculver in forum General Chat
Last Post: 29th June 2007, 10:56 AM
By richard in forum How do you do....it?
Last Post: 11th March 2006, 10:36 PM
By pete in forum School ICT Policies
Last Post: 6th March 2006, 10:24 AM
By mark in forum School ICT Policies
Last Post: 12th July 2005, 12:01 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)