Can i have a 'limited Administrator' for the purposes of unlocking workstations?

active-directory windows-server-2003

Solution 1:

As already explained, you do not need a domain admin to 'unlock' a computer, the user is only required to be a local administrator.

The best solution i think here is to automatically log out users that are idle for a certain period.
EDIT:

It's not a straight forward GPO and requires a bit of a kludge with modifying the windows screensaver. Here's what you do:

  1. Download the Windows Server 2003 Resource Kit Tools
  2. Copy the Winexit.scr out of the resource kit to the %systemroot%\system32 directory on each workstation
  3. Create a user GPO with the following settings: alt text http://img34.yfrog.com/img34/6015/mwsnap53020091124100617.jpg
- for screensaver executable name use:winexit.scr
- for screen saver time-out specify how log the idle time should be before logging out. This is in seconds.

Solution 2:

Adding the Domain accounts for your other tech assistants to the local Admins group on each PC should be all that's required.

Beware of unlocking though, as it will force the logged-on account to log off, close all their files, and potentially lose unsaved work. User education is really the only way.

Related

Will "init 1" from a remote (via VPN) ssh session kill my ssh connection
How to copy & move MySQL database
What is the quickest way to kill all sessions from a specified user in Oracle?
How can I create a read only Sql server 2008 account?
Which version of SunOS
If you're running a SaaS business, does the platform decision Linux or Windows really make a diff money wise?
Same command on multiple servers
How to find out if a Solaris machine is virtualized or not?
How can i sniff/dump HTTP protocol as ASCII for a port with tcpdump or altenative?
use SED recursively in linux?
CNAME record for Amazon S3 -- any drawbacks?
Is LDAP the only way to authenticate an web application against Active Directory?