To help us become better, please login to ActivTrak

Log in

Administrator Override > Screen Pass Only' Administrators

'Screen Pass Only' Administrators
Screen Pass Version 6.8 User Guide

'Screen Pass Only' Administrators

Admin Override for "Screen Pass Only" Administrators

There are several ways to define users who can serve as administrators for unlocking puposes only.

Microsoft Networks
To define Screen Pass only administrators on Microsoft networks you can:

Create a domain group named 'Screen Pass'.  Adding users to the group enables them to unlock workstations for all other users in the domain. The group should be of local scope.

-OR-

Create 'paired groups'  where one group contains a list of users and the other group contains a list of IDs that can unlock workstations of users in the first group.  The groups should be of local scope. These 'paired groups' must follow a specific naming convention so they can be recognized and interpreted by Screen Pass.  One group must have the suffix _SPAdmins and the other group must have the suffix _SPUsers.  The group names prior to the suffix must match, .e.g.

Accounting_SPAdmins
    and
Accounting_SPUsers

-OR-

Create an Active Directory extended right  named "Screen Pass unlock" and assign trustees based on this right using the Active Directory for Users and Computers.  This right can be added to or removed from your directory using the "Extended Right Utility" installed with the Screen Pass Admin Tools

[Note this is not a true change to your Active Directory Schema, just an extended right].

After the extended right has been added to your Directory, the Security tab for a user or container will look like this:

Notice the addition of the "Screen Pass unlock" right.  In this example, the users in the HelpDeskPersonel group, the trustees, have been granted the right to unlock login sessions for the user object Joe Smith.

The Screen Pass unlock right can be assigned to user objects or computer objects.  It can also be assigned to container objects so that trustees can be created for all users or computers in the container.  As with other ADS rights the "Screen Pass unlock" right is inheritable.

For Screen Pass to make use of the extended right the "Enable Active Directory Admin Override Extensions" policy must be enabled so that Screen Pass can detect ADS.  If the policy is enabled the user name in the Password dialog will be displayed in ADS style format.  See the discussion of the Main Password Dialog for more information.

Novell Networks
To define Screen Pass only administrators under Netware you can:

Create a group named 'ScreenPass' in any context.  Adding users to the group enables them to unlock workstations for other users in the context.

-OR-

Create 'paired groups'  where one group contains a list of users and the other group contains a list of IDs that can unlock workstations of users in the first group.  These 'paired groups' must follow a specific naming convention so they can be recognized and interpreted by Screen Pass.  One group must have the suffix _SPAdmins and the other group must have the suffix _SPUsers .  The group names prior to the suffix must match and the groups must be in the same context, .e.g.

Accounting_SPAdmins
    and
Accounting_SPUsers

The user objects added to the groups can reside outside the context.

Local Workstation Logon Sessions
To define Screen Pass only administrators for local logon sessions: 

Create local workstation group named "Screen Pass".  Adding users to the group enables them to unlock the workstation for locally logged in users.

-OR-

Create "paired groups" of users on the local workstation following the naming convention described above for Novell,

Was this article helpful?
0 out of 0 found this helpful

Brandon Hill
Comments