Thomas M.

We have something of a conundrum that we have been struggling with. We have
two machines that are attached to projectors so that we can project network
status information up on our wall. These machines run 24/7 and are
configured so that there is no screen saver and the monitor never powers
down (so the critical network data is ALWAYS displayed). For these two
machines we have two login choices:

1) Login using our individual accounts.
2) Login using a shared account.

It seems to me that both are somewhat problematic. If we login using our
individual accounts then there is the possibility that people could do
harmful things under the logged in user account, which could potentially get
the owner of that account into hot water unfairly. Other employees could
also gain access to shared network resources that are mapped for the logged
on user account, which in many cases will be resources that not everyone is
authorized to access. With bathroom breaks, lunch, and meetings it is
impossible for the account owner to be in the room at all times to make sure
such things do not happen, so we are stuck with this situation.

If we use a shared login account then it becomes more difficult--and maybe
impossible in some cases--to determine who did what on the network.

So this morning I did some brainstorming on how we might have the best of
both worlds, and I wanted to run the idea by the people who frequent this
newsgroup. I thought that we could start with a shared account and
configure the auto login option. Once the desktop comes up a special
program would kick in and display a custom login dialog. The program would
disable the CTRL+ALT+DEL key combination, the mouse, and the Start menu (so
the user could not get around the process by going to the Task Manager and
ending the task), and it would also prevent the user from changing the
active window. There might need to be some other things locked down as
well, like the Run box, but basically the user would be forced to enter a
valid AD account and password. Once the requested information has been
supplied the program would log it to a file along with the date and time,
and the log file itself would be encrypted and inaccessible to users.
Everything that was locked down (CTRL+ALT+DEL, mouse, etc.) would then be
unlocked and the user would be free to work on the machine as necessary.

That would allow us to reap the benefits of having a common login on those
machines, while still having an electronic record of who actually logged in.

Is this idea something that could be done as I'm conceptualizing? Is there
an easier way to achieve our goal of recording who logs in without having to
use individual accounts?

Thanks for any insight that you may be able to offer.

--Tom