In Windows XP if a user left themselves logged on to a PC you could just unlock the computer using admin credentials and it would log off the user, so that you could perform admin tasks. This functionality is missing in Windows 7 and Windows 8. This article will take you through the steps necessary to deploy a nifty little DLL that restores this functionality.

Ben Norcutt

Ben Norcutt is a Microsoft Certified IT Professional (MCITP) with 13 years experience inIT administration in educational establishments.

You might object that we have fast user switching. Very true, but that doesn’t log off the user which may be what you want to do to perform admin tasks on the local machine. You may also have a mix of machines some with fast user switching enabled and some without.

Administrative Unlock in Windows 7

Administrative Unlock in Windows 7

I found a solution to the problem in the TechNet forum where Oliver Friewald created a DLL that allows you to restore Administrative Unlock in Windows 7. Follow the steps below to deploy the Administrative Unlock feature in your network through Group Policy.

Step 1 - Download Administrative Unlock DLL ^

Download the required files.

This is the author’s public skydrive and a huge thanks to him for producing this tool.

You only need the two AdministrativeUnlock.dll files in their respective x86 & x64 folders. Copy these folders to a network distribution share.

Step 2 - Create the Group Policy Object ^

Create a new Group Policy object and give it a descriptive name. I called mine “Install Administrative Unlock Feature.”

Administrative Unlock Feature Group Policy Object

Administrative Unlock Feature Group Policy Object

Right click on the object, select edit and navigate to Computer Configuration> Preferences> Windows Settings> Files.

Click in the white space and choose File> New.

It should look like this when you are done:

File deployment with Group Policy Preferences

File deployment with Group Policy Preferences

Source file is the UNC path to where you have stored the DLL files.

Destination File should be %systemroot%\system32\administrativeunlock.dll

There is a different DLL version for x86 and x64, so you will need to target your GPO either using item level targeting from the “common” tab as shown below, a WMI filter or any method of your choosing.

GPO item level targeting

GPO item level targeting

Step 3 - Create the Registry entries ^

We also need to push some Registry entries out to the client machines and we’ll do that using Group Policy Preferences. We can use the same GPO as for the DLL.

Navigate to Computer Configuration> Preferences> Registry.

Right click in the white area and choose> New> Registry Item

There are four entries that need to be made.

Key 1

Action: Create

Hive: HKEY_LOCAL_Machine
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B986C180-0798-4DF5-A611-A1991AA890B9}

Value Name: Click in Default checkbox

Value Type: REG_SZ

Value Data: AdministrativeUnlock

Key 2

Action: Create

HIVE: HKEY_CLASSES_ROOT

Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}

Value Name: Click in Default checkbox

Value Type: REG_SZ

Value Data: AdministrativeUnlock

Key 3

Action: Create

Hive: HKEY_CLASSES_ROOT

Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}\InprocServer32

Value Name: Click in Default checkbox

Value Type: REG_SZ

Value Data: AdministrativeUnlock.dll

Key 4

Action: Create

Hive: HKEY_CLASSES_ROOT

Key Path: CLSID\{B986C180-0798-4DF5-A611-A1991AA890B9}\InprocServer32

Value Name: ThreadingModel

Value Type: REG_SZ

Value Data: Apartment

You Registry items should now look like this:

Registry entries for Administrative  Unlock

Registry entries for Administrative  Unlock

Step 4 - Apply the GPO ^

Now apply the GPO to a test machine or two. This can be done by replacing the “authenticated users” from the security filtering of the object with your test security group.

You can unlock the computer by clicking “Administrative Unlock” on the “Other Credentials” button. Then select “Administrative Unlock” and enter your admin credentials to log off the user.

Unlock Windows 7

Unlock Windows 7

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

6 Comments
  1. Miguel Garrido 4 years ago

    Why not log on as the administrative user and log them off (from Task Manager's Users tab)?

    0

  2. Kyle Beckman 4 years ago

    If Fast User Switching is disabled, only the currently logged in user can log into the console. The Administrative user can't even type in a username, let alone log in to force the user out. The actively logged in user must log in and then log out.

    The only three methods I'm aware of to log the user out are: hard reset the computer, log in over Remote Desktop, or use some type of remote command like shutdown.exe to log the user off.

    0

  3. Frank 3 years ago

    I'm trying this and in the "targeting" section, we are using Windows 7 Professional, and that is not an option in the targeting Operating Systems, any thoughts what the best choice would be?

    Thanks!

    0

  4. ghowey 2 years ago

    WMI filters are you best bet for applying this policy at the GPO domain level. By implementing WMI filters you can target only the intended operating systems.

    0

  5. Aaron 2 years ago

    We have used this at my organisation however, it would appear that it stops other GPOs being deployed to machines after this has applied.

    0

  6. Matthew Koundakjian 2 months ago

    This worked great until I made a GP change that broke it. I now get a 4625 message in the event log that the user with status code 0xc000015b and message "The user has not been granted the requested logon type (aka logon right) at this machine". What right or login type does the administrative unlock utilize?

    Also, should it work with domain admin accounts or only accounts that are in the local Administrator's group?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account