Ben Norcutt
Latest posts by Ben Norcutt (see all)
- Automate out-of-office messages in Outlook with Visual Basic for Applications (VBA) - Fri, Jan 5 2018
- Add a signature to Office 365 emails with PowerShell - Mon, Nov 11 2013
- Restore Administrative Unlock to Windows 7 - Fri, Oct 4 2013
You might object that we have fast user switching. Very true, but that doesn’t log off the user which may be what you want to do to perform admin tasks on the local machine. You may also have a mix of machines some with fast user switching enabled and some without.
Administrative Unlock in Windows 7
I found a solution to the problem in the TechNet forum where Oliver Friewald created a DLL that allows you to restore Administrative Unlock in Windows 7. Follow the steps below to deploy the Administrative Unlock feature in your network through Group Policy.
Step 1 - Download Administrative Unlock DLL ^
Download the required files.
This is the author’s public skydrive and a huge thanks to him for producing this tool.
You only need the two AdministrativeUnlock.dll files in their respective x86 & x64 folders. Copy these folders to a network distribution share.
Step 2 - Create the Group Policy Object ^
Create a new Group Policy object and give it a descriptive name. I called mine “Install Administrative Unlock Feature.”
Administrative Unlock Feature Group Policy Object
Right click on the object, select edit and navigate to Computer Configuration> Preferences> Windows Settings> Files.
Click in the white space and choose File> New.
It should look like this when you are done:
File deployment with Group Policy Preferences
Source file is the UNC path to where you have stored the DLL files.
Destination File should be %systemroot%\system32\administrativeunlock.dll
There is a different DLL version for x86 and x64, so you will need to target your GPO either using item level targeting from the “common” tab as shown below, a WMI filter or any method of your choosing.
GPO item level targeting
Step 3 - Create the Registry entries ^
We also need to push some Registry entries out to the client machines and we’ll do that using Group Policy Preferences. We can use the same GPO as for the DLL.
Navigate to Computer Configuration> Preferences> Registry.
Right click in the white area and choose> New> Registry Item
There are four entries that need to be made.
Key 1
Action: Create
Hive: HKEY_LOCAL_Machine
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B986C180-0798-4DF5-A611-A1991AA890B9}
Value Name: Click in Default checkbox
Value Type: REG_SZ
Value Data: AdministrativeUnlock
Key 2
Action: Create
HIVE: HKEY_CLASSES_ROOT
Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}
Value Name: Click in Default checkbox
Value Type: REG_SZ
Value Data: AdministrativeUnlock
Key 3
Action: Create
Hive: HKEY_CLASSES_ROOT
Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}\InprocServer32
Value Name: Click in Default checkbox
Value Type: REG_SZ
Value Data: AdministrativeUnlock.dll
Key 4
Action: Create
Hive: HKEY_CLASSES_ROOT
Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}\InprocServer32
Value Name: ThreadingModel
Value Type: REG_SZ
Value Data: Apartment
You Registry items should now look like this:
Registry entries for Administrative Unlock
Step 4 - Apply the GPO ^
Now apply the GPO to a test machine or two. This can be done by replacing the “authenticated users” from the security filtering of the object with your test security group.
You can unlock the computer by clicking “Administrative Unlock” on the “Other Credentials” button. Then select “Administrative Unlock” and enter your admin credentials to log off the user.
Unlock Windows 7
Are you an IT pro? Apply for membership!
Your question was not answered? Ask in the forum!
Why not log on as the administrative user and log them off (from Task Manager's Users tab)?
If Fast User Switching is disabled, only the currently logged in user can log into the console. The Administrative user can't even type in a username, let alone log in to force the user out. The actively logged in user must log in and then log out.
The only three methods I'm aware of to log the user out are: hard reset the computer, log in over Remote Desktop, or use some type of remote command like shutdown.exe to log the user off.
I'm trying this and in the "targeting" section, we are using Windows 7 Professional, and that is not an option in the targeting Operating Systems, any thoughts what the best choice would be?
Thanks!
WMI filters are you best bet for applying this policy at the GPO domain level. By implementing WMI filters you can target only the intended operating systems.
We have used this at my organisation however, it would appear that it stops other GPOs being deployed to machines after this has applied.
This worked great until I made a GP change that broke it. I now get a 4625 message in the event log that the user with status code 0xc000015b and message "The user has not been granted the requested logon type (aka logon right) at this machine". What right or login type does the administrative unlock utilize?
Also, should it work with domain admin accounts or only accounts that are in the local Administrator's group?