I just migrated to server 2008. On my old 2003 server I use to be able to lock the computer with the current account. I could then unlock the computer with the same account or an administrator account. This would essential log off the locked account. I would then be free to log on with my account. The closest thing I can find is switch users, but there is some issues. 1) Anyone can switch users, where as in the 2003 version only administrators could do this. 2) Switching currently leaves the first account actively running services that need to activate under the new account I am switching too. Any suggestions on how to get back to the 2003 functionality of locking and unlock with the administrator account?

Hello, What are trying to achieve exactly? If you are in an AD domain and you have a lockout policy then use dsa.msc and then go to the account properties and unlock it. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Did you migrate computer to win7 too? Seem a know issue with Win7 with Fast user Switch. The only way I seen is to use taskmanager to close the session or use pstool from sysinternal that way; psshutdown \\RemoteSystem -o Some thread about that; http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/0a30a849-12bf-4366-b67b-554cfef31cc1 http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/767d6d66-ed5f-4d59-b629-267f3ea1dcbaMCP | MCTS 70-236: Exchange Server 2007, Configuring

Any suggestions on how to get back to the 2003 functionality of locking and unlock with the administrator account? Hello, Are you talking about Disabling of Fast-User Switching mode of Login ? Regards, Ravikumar P

I am trying to reconstruct the same functionality of 2003. I know how to disable fast user switch with a domain policy. Without fast user switch there is no way to get onto a computer without rebooting if someone locks it. These are servers that can't be rebooted that often. On 2003 one use to be able to lock the workstation. It could then be unlocked by the same user or an account with administrator privledges. Unlocking with an account other than the one that locked it would log off the old account and bring you to the log in screen. Switch user is close, but has issues. First, anyone can use switch user. This is not acceptable because we are locking the station to keep off non-admins. Secondly when using switch user it does not log off the previous user and they still have instances of process running under them. When the new user logs on duplicate processes are created. What I want to be able to do is the following: Lock a workstation. Then be able to unlock it with only administrator accounts or the account that locked it. And if it is a different acount then the old account is logged off as if one did it from start -> log off. If anyone know how to implement one of the next two solutions let me know. The server is a AD domain server btw. 1) Use switch-user. Limit the users that can log into this computer and when using switch user it mimics log off of the old account with regards to stopping process started by the old account. 2) Having the option on the locked screen to log back in as the old account or having an administrator account log off the account that locked the computer. Another option would be to select which users can log onto to the computer and tell everyone they can no longer lock it and must log off. I would then only allow admins to log in to this computer. How would this be accomplished?

Hi, The issue you mentioned is a feature change introduced in Windows Vista, Windows Server 2008, and later version of Windows. In Windows XP, Windows Server 2003, and earlier version of Windows, all services run in Session 0 along with application. So it logs off locked user account, and new user logon to session 0. But this situation poses a security risk, In Windows Vista, Windows Server 2008, and later versions of Windows, the operating system isolates services in Session 0 and runs applications in other sessions. The first logon user with session ID 1, the second logon user use session ID 2, the third logon user use session ID 3. So its no need to logoff previous logged user. > 1) Anyone can switch users, where as in the 2003 version only administrators could do this. Yes, since it need privilege to log off current logged on user. But for Windows 2008, user logon to new session without affect administrators session. We cant restrict normal user to logon. > 2) Switching currently leaves the first account actively running services that need to activate under the new > account I am switching too. After logon you can logoff other users session through Windows Task manager. > 1) Use switch-user. Limit the users that can log into this computer and when using switch user it mimics > log off of the old account with regards to stopping process started by the old account. Configure security policy at Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->User Right Assignment-->Allow log on locally, remove the user or groups you want to limit logon or add them to Deny log on locally policy. > Another option would be to select which users can log onto to the computer and tell everyone they can > no longer lock it and must log off. Try Remove Lock Computer policy, this policy prevents users form locking the system, lock computer feature become invalid. You can configure it at: User Configuration-->Administrative Templates-->System-->Ctrl+Alt+Del-->Remove Lock Computer For more information please refer to following MS articles: Impact of Session 0 Isolation on Services and Drivers in Windows http://msdn.microsoft.com/en-us/windows/hardware/gg463353.aspx Changes to Remote Administration in Windows Server 2008 http://blogs.msdn.com/b/rds/archive/2007/12/17/changes-to-remote-administration-in-windows-server-2008.aspx Difference Between Log Off and Switch User Commands http://support.microsoft.com/kb/279782Lawrence TechNet Community Support