hot potato workers
- 
 @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there. But it won't be logged in to the right user. Browser sessions won't be the right user. Just an all around bad idea. LP will be set to log out upon the browser closing - There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind. IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap. Force Edge to always use porn mode. That should help. 
- 
 @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there. But it won't be logged in to the right user. Browser sessions won't be the right user. Just an all around bad idea. LP will be set to log out upon the browser closing - There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind. IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap. Force Edge to always use porn mode. That should help. that helps as long as the browser is closed when the user is finished - 
- 
 Not done the comparison - but we use SecureDen.. The group (about seven of us) see the same thing, get MFA'd ... 
- 
 @jaredbusch said in hot potato workers: Force Edge to always use porn mode. That should help. Helpful Hint: Don't google: "Edge Porn Mode" 
- 
 @jasgot said in hot potato workers: @jaredbusch said in hot potato workers: Force Edge to always use porn mode. That should help. Helpful Hint: Don't google: "Edge Porn Mode" LOL... That so makes me want to. But No. Pass. 
- 
 @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: This also solves the Lastpass situation, as once it's setup under the shared user, it should just remain there. But it won't be logged in to the right user. Browser sessions won't be the right user. Just an all around bad idea. LP will be set to log out upon the browser closing - There's only so much I can do for the users - They have to log out of Outlook, they have to log out of athena - they need to close the browser or log out of LP... so that's really not a big concern in my mind. IF - IF they can log out those things.. this is not an issue. tons of places use shared computers with the full expectation that once you are done YOU will log out when finished to prevent the next person getting access to your crap. Force Edge to always use porn mode. That should help. that helps as long as the browser is closed when the user is finished - Fixes the issues you raised, which are also user management issues. So simply make the policy close the fucking browser. 
- 
 @dashrender said in hot potato workers: I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function. Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work. The printers are based on front desk location, so it's workstation based, regardless of who logs in. Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC. As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well. Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work. TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. 
- 
 @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?
- 
 @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. 
- 
 @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. 
- 
 @obsolesce said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink 
- 
 @obsolesce said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. Oh man - now that's an interesting idea... 
- 
 @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink Not if you look at the case above where I said that Lock is completely unusable because of the shared account. 
- 
 @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink Not if you look at the case above where I said that Lock is completely unusable because of the shared account. Yes, but what is the user impact to a log on event multiple times per day? Not saying it is the wrong solution, but this type of issue needs to be resolved around a solution that is the least impactful to user productivity while still meeting the security and technical requirements. 
- 
 @jaredbusch said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: @dashrender said in hot potato workers: @jaredbusch said in hot potato workers: @obsolesce said in hot potato workers: TL:DR entire thread, but why not disable fast user switching? That would force the user to have to log out if anything. Completely forgot about that. 
 Can a normal user force log off a logged on user if the screen is locked?nope. You could turn on auditing for logon/logoff events, then run a logoff script when the lock event triggers if that's an issue. Lock is a normal event though when a user walks away and is coming back. Forcing a log off would be a huge productivity sink Not if you look at the case above where I said that Lock is completely unusable because of the shared account. Yes, but what is the user impact to a log on event multiple times per day? Not saying it is the wrong solution, but this type of issue needs to be resolved around a solution that is the least impactful to user productivity while still meeting the security and technical requirements. Of course it does - which is why I have this topic. I don't believe a shared account is anywhere near optimal. Ultimately I believe I'm going to have to create some scripts that will ensure all the required settings are in place whenever any user logs in. Of course - this will make a first time user (or a user after their profile has been removed) unhappy as they wait for the scripts to run. I already mentioned the things above I need to be there every time anyone logs into these computers... 
 specific printers based on location of front desk
 short cuts to specific websites
 Lastpass installed and enabled in Chrome at least, Edge would be useful
- 
 I know that if users use typical domain logons, I can tweak the computers to not allow multi-user use. i.e. if a second person wants to log in, the first has to log out. So assuming I use a situation where everyone uses their own logons, this tweak would solve my local scanner issue. 
 Of course it will result in plenty of forced shutdowns because users lock the computer instead of logging off.I know I could force reboots over night, and that would do the force logoff for me - 6 of one, half dozen the other for this point. 
- 
 @dashrender said in hot potato workers: I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function. Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work. The printers are based on front desk location, so it's workstation based, regardless of who logs in. Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC. As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well. Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work. Just an idea but why not use scanners that support network scanning and don't need a PC? Having USB scanners is like having USB printers. Not great in a workgroup situation. 
- 
 @pete-s said in hot potato workers: @dashrender said in hot potato workers: I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function. Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work. The printers are based on front desk location, so it's workstation based, regardless of who logs in. Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC. As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well. Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work. Just an idea but why not use scanners that support network scanning and don't need a PC? Having USB scanners is like having USB printers. Not great in a workgroup situation. Our EMR only supports USB based scanning today. We've begged them to enable network based TWAIN - but they currently intentionally disable it. 
- 
 @dashrender said in hot potato workers: @pete-s said in hot potato workers: @dashrender said in hot potato workers: I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function. Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work. The printers are based on front desk location, so it's workstation based, regardless of who logs in. Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC. As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well. Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work. Just an idea but why not use scanners that support network scanning and don't need a PC? Having USB scanners is like having USB printers. Not great in a workgroup situation. Our EMR only supports USB based scanning today. We've begged them to enable network based TWAIN - but they currently intentionally disable it.  
- 
 @travisdh1 said in hot potato workers: @dashrender said in hot potato workers: @pete-s said in hot potato workers: @dashrender said in hot potato workers: I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function. Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work. The printers are based on front desk location, so it's workstation based, regardless of who logs in. Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC. As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well. Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work. Just an idea but why not use scanners that support network scanning and don't need a PC? Having USB scanners is like having USB printers. Not great in a workgroup situation. Our EMR only supports USB based scanning today. We've begged them to enable network based TWAIN - but they currently intentionally disable it.  yep.. we've had two workgroup calls with them.. and about 20 people all begging them to turn it on.. stop manually blocking it! 




