How about creating scripts that run at logon and logoff for your maintenance account. The logon script can loop through the local admins group and remove everyone (minus some exceptions), and then the logoff script can re-add them. From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 9:02 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop Well, I've been kinda' thinking along the same lines, but the amount of small applets and specialised software we use is staggering, meaning I'm reluctant even to start this project. It's easier to just grant a little bit higher privs'. It's like it happens on a regular basis, it's just very irritating *when* it happens and I need to look up this user in person and whatnot, basically I losing time. Maybe I should just live with it... 8-} _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sullivan, Glenn Sent: Friday, February 15, 2008 2:53 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop WinXP only supports one session at a time, so there's no way for both of you to log on. But seriously, Jim hit the nail on the head. Make your users regular users, not power users, and use FileMon and RegMon to determine where the rights need to be granted for your software. Then they won't be able to log you off. The only other thing I can think of would be to temporarily change the Local System policy for "Log On Locally" to only include admins while you are patching, but I'm not sure that's practical. Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 8:22 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop <grin> It might be thought to be offensive to use such a logon-name, besides I'm not sure they'd get the hint. 8-) I can't limit my time, I work the same hours as the other people here. I get logged off when the user on the remote computer logs on. This is WinXP and I usually logon to the console, so if the user logs on physically on the remote computer, I get logged off. The users on the other end are mostly Power Users as some software we run requires admin-rights and I don't like to give them that. Power User-privs usually works though, so that's what we use. If I didn't logon remotely to the console, could the user logon while I'm still in a background session? _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig ThinHelp.com Sent: Friday, February 15, 2008 2:13 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop Change your admin login name to KeepyourgrimymittsoffuntilImdone ? Seriously we limit logon times via AD until just 15 to 20 minutes prior to opening so that we can do maintenance. You might not be able to do that though. I'm not sure how the user is logging you off as admin though unless they have admin privs on their local desktop. Jim On Fri, Feb 15, 2008 at 4:27 AM, Sorin Srbu <sorin.srbu@xxxxxxxxxxxxx> wrote: Hi, It happens quite often that when I administer and/or fix remote workstations using RDP, the user comes back from whereever and logs on despite that the logon window says somebody else (me) is logged on at this moment with the result I'm being logged off in the middle of an update or some such. Is there a way to prevent an admin/domain admin from being logged off from a rdp-session by a user with lower privs, eg power user? TIA. -- BW, Sorin # Sorin Srbu # [Systems Engineer, Sysadmin] Web: http://www.orgfarm.uu.se <http://www.orgfarm.uu.se/> # Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3 signals> GSM # Div of Org Pharm Chem, Mobile: +46 (0)701-718023 # Box 574, Uppsala University, Fax: +46 (0)18-4714482 # SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b # # () ASCII ribbon campaign - Against html E-mail # /\ # # Harmless tagline follows: # # At first there was nothing. Then God said 'Let there be light!' Then there was still nothing. But you could see it. -- Jim Kenzig Microsoft MVP - Terminal Services http://www.thinhelp.com Citrix Technology Professional CEO The Kenzig Group http://www.kenzig.com Blog: http://www.techblink.com