|Screen Pass Version 6.8 User Guide|
Admin Override for True Administrators
Listed below are the ways that Screen Pass determines "true administrators" for unlocking purposes under various logon scenarios.
For domain logon sessions, Screen Pass checks that the proposed Admin ID belongs to the �Administrators� group in the authenticating domain. Nested groups are recognized, so all members of "Domain Admins" group, because it is included in the Administrators group, can unlock the workstation. By default, Screen Pass will not recognize administrators whose authority is limited to containers within Active Directory. To activate this capability, you must configure the policy Enable Active Directory Admin Override Extensions. In addition, the Screen Pass extended right must be added to your directory. Users with administrator rights over a container automatically have Screen Pass unlock rights over the container as soon as the extended right is added. The Screen Pass Extended Right tool makes it simple to add or remove the Screen Pass extended right to or from your directory.
For NDS login sessions, users with 'Supervisor Object Rights' over the user who is currently logged in, can unlock the workstation. These rights can be viewed and modified with NWAdmin. By default, users with "Security Equivalence to Admin" have supervisor object rights over all users on the tree. When entering the Administrator ID, be aware that it is specified relative to the current context, and follow the same syntax as for the "CX" utility. Use a leading dot to indicate a fully qualified user name. Typed or typeless user names are acceptable.
Local Workstation Login
For local login sessions, members of the local workstation Administrator group can unlock the workstation.
Note: By default, Screen Pass does not allow local workstation administrators to unlock network login sessions. There is, however a policy setting to allow for this capability. See the Local Administrator Option for more information.