How to enforce locking workstation

>Installing software on all the company's computers (80ish)
>Notice about 1/2 are unlocked and unattended.
>Start asking people to lock their computer when they leave.
>Told one person a new policy is in the works to lock it when leaving the workstation.
>Literally like 1 minute later they left and forgot to lock.
>I change their background (windows default) to something odd and then lock it using gpedit.
>Their manager hears about and isn't happy.
>Tells me I can't do that to his employees blah blah.
>Told him the idea behind it is to mess with their head and make users realize how important it is.
>He doesn't care, says it'll get me in trouble, blah blah, and told me not to change their background again.

So yea, HR is going to update our policy so people will have to lock their computers when they leave the workstation. They said I can't be doing things like what I did until the policy is updated. (I couldn't believe there isn't one already)

As for the manager and his employees, next time I'm setting the screen to landscape reversed. At least the background changing had 0 impact on productivity. ...What? He said don't change the background in his department so I'm not. He's not the one paying a $50,000 minimum fine if some one decides to take advantage of an unlocked computer. And I'll probably be the one having to explain it to corporate and the HHS what happened.

I can already see this'll stir up a storm. What are some better ways to enforce the new policy? I'm thinking about doing the background thing (But maybe not locking it) any way.

sshd on some random high number port all of them.

i'm pretty sure you can enforce a locking screensaver via group policy

What is Group Policy, for $800, Alex?

But because you don't know what you're doing, you should be fired.

>the idea behind it is to mess with their head
Oh my god, please tell me where I can get paid to mess with people's heads.

don't do it man, the normies never understand this shit until their computers are swimming in malware and spinning horse cocks start appearing on the screen

Just make it automatically lock their computer if it's idle for 5 minutes.

For some really stupid reason all users have admin rights and corporate won't change it. They fixed that on new computers they send us, by making only select users admins, but that doesn't fix all the old computers we have. I can't fix it myself because they're on a domain and the controller won't let me make changes to the groups on individual computers. I can't make any changes to the domain.

Ultimately my question is how to enforce this (despite everyone being admins) without the nurses and managers/directors flipping their shit.
This is the way I see it going down as-is:
>Set policy in gpedit
>People bitch and moan for a while but get use to it
>Life's good for now
>One person figures out how to take it off
>Now everyone knows
>I go to set it back.
>Staff resists changes to the computer
>people get angry

Look what happened when all I did was changed the background. That was the tldr version; there was a lot more crap he said. Imagine if I made actual changes, for all departments. It's like they all have no clue these computers are company assets nor what HIPAA is. Also, IMO setting it to automatically lock isn't good enough. There's many times in a day I walk into an office to do something to the computer, but just happen to walk in RIGHT AFTER the user left (they never saw me, I never saw them), chair still warm and screen save never had a chance to start. They're usually gone long enough to do what I need and leave.

Get a job as IT and look for employees who forgot to lock their computer. Get creative (but not destructive) and go from there.

They're not paying me to look the other way.

>all users have admin rights and corporate won't change it
your job must be fun

pic related, you at work

In my company, you can be fired for leaving your workstation unlocked. You can also be fired for messing with an unlocked workstation. It's in your best interest to mind your own business or verbally mention something if you notice someone leave their shit unlocked if your company is similar.

Add a reminder that pops up every 10 minutes telling them to remember to lock their computer.

How fucking hard it is to put a fucking paper note near the monitor to lock it?

> I can't fix it myself because they're on a domain and the controller won't let me make changes to the groups on individual computers. I can't make any changes to the domain.
What the fuck is your point in the organization? If you cannot make changes to either local systems, or changes to a local controller for your domain, you're literally not a system's administrator. You're basically help-desk. You have -NO- power. You either need to get Corporate to give you the power to make these changes, or report them for HIPAA violations. You DO get a snitchin' paycheck for it.

Also, you could definitely reformat these "older" PCs that have the fucked up user groups, and when you reattach them to domain, they should be set straight. If HR/Management wants to know why you're wiping all the old PCs, tell them straight off "security settings on all older PCs puts them at risk for Ransomware. Like that attack that happened at that Hospital in Hollywood. Yeah, the one where they got shut down for 2 weeks, had to transfer all patients, and lost 12 million dollars. We're not protected against that on older PCs. I'm starting this project to rectify that."

And truth be told, removing admin rights from users is the best thing you can do to prevent ransomware attacks...

This. I can't believe any enterprise doesn't have this.
My trick if I spot an unlocked workstation is to screenshot their desktop, set as wallpaper, hide icons and taskbar. Await call from retarded user. Hilarity ensures. Lesson (usually) learned.

You should be setting a domain policy, filtered to workstations and enforced.

I stand by my comment. You should be fired.

Tell them to fix their shit or leave and report. Collect them sweet government fees.

my boss encourages us to fuck with any unlocked & unattended workstations we find

changing the background mainly, that kind of thing

people lock their shit now

Has the user ever walked in on you when you were messing with their workstation?

pretty regularly, since people would walk out then remember what they'd done and come back pretty quickly to lock it

ITT: typical sysadmins

Trying to use technical workarounds, whereas the real problem (bad safety culture) is fixed by communication and awareness.
Try to spend some hours on convincing the right higher ups that they're at a huge business risk instead of gpedit

OP, What exactly is your position?
Why would HR be in charge of security policies in the first place? That's Information Systems territory.

Also this:

OP is the fall guy. He's only there to be blamed if there's a lawsuit.

Don't tell him.

It's not as bad as it sounds. They all seem pretty good about not fiddling with shit. What sucks is printers. One little hiccup and they go in the printers and devices panel and just hit random buttons or something. For some reason they're drawn to the printers. But yea, other than that, it's not so bad. ...yet...

My company is a little different. They told me to wait until the policy is actually effective and has been for a while before I start messing with people.

That'll get me even more shit than the actual policy, and rightfully so.

No way that actually works

>If you cannot make changes to either local systems
I can make changes on local systems, even the new ones. The problem is the domain controller won't let me take it away from everyone else on the old computers.

That's a good idea about formatting. I'll have to try it with a few and see how it goes.

Dumbass lol I know how to change the god damn policies. If you weren't a tard and could read you'd see I have no control over the domain. Why are you and so quick to say I should be fired? Are you jealous I actually have a job as IT?

>people lock their shit now
Yup. It works. I was a victim to the background change twice when I use to work at ATT. It only takes 1-3 times before people get it. It's like you feel violated the 1st time it happens.

You're a goddamn hero is what you are.

embarrasement and shame is a very effective motivator

key cards
log in with smartcards, and when ever they leave their computer they just remove the card, which is more natural to some people than CTRL+L.

>all users have admin rights
Lol

>they just remove the card
>implying

>For some really stupid reason all users have admin rights and corporate won't change it.

Leave. it is literally your arse on the line. Get the fuck out before the fire starts. Not even kidding.

Basically this OP. If the joint is too stupid to enforce globally recognised standards of IT security, you will never win, and you will burn yourself out fighting it. Time for a new job man.

>What exactly is your position?
It's a bit complicated. I suppose the best way to put it is part help desk, part admin, plus a little of this and a little of that. It's weird. Most other companies I worked at have clear-cut duties. This place is more.... stimulating, I guess.
When I said HR is making a new policy, I meant they're adding it to the employee hand book. It doesn't cover anywhere about locking the work station. I mentioned to them I've noticed a lot of computers were unlocked. They said they are aware and they're taking care of the managerial controls and leaving the rest to me.

>before the fire starts
That crosses my mind every so often.

The only reason I haven't yet is because this job pays good and has good benefits for how little work I do (literally sitting in my office 1/2 of the day doing whatever). Every once in a while, one of the corporate people gives me a little more power, and I'm hoping some day I get enough to remove all the other "admins". Actually the 1st time I asked them to remove admin rights from everyone else was when I was really new. I should try again.

So you're just a lazy fucker playing at being a sysadmin. Good to know this blog was pointless.

In last company I worked for it went like this
>New security policies introduced
>Not locking workstation results in severe fines for employee
>Someone leaves their workstation unlocked
>Some neighbour of that person uses said unlocked workstation to send an email as the workstation's owner to all people in team
>In said mail, he's inviting them for doughnuts that the owner will bring next Tuesday
>The owner has two choices: buy 30 doughnuts, or plead guilty of not locking his workstation
>Each time he leaves his workstation unlocked

Record was a person being "doughnuted" 3 times a day. Now he literally checks twice whether he locked his workstation before leaving the room.
Sometimes the mail was not about doughnut invitation, but asking if someone maybe has some medication for diarrhoea, or borrowing a penis pump before his next date.

Start raising shit to management or something

Put up HIPAA memes everywhere. That's what the healthcare mega corp I work for does. I honestly don't know how we don't get fined into bankruptcy with the amount of stupid shit I see everyday.

>HIPAA memes
wat

You've got to go the extra mile and rotate the screenshot 180º before setting it as the background then setting the GPU to rotate the output 180º so everything looks normal but the cursor control's all fucked up

one of my colleagues has resigned twice and asked if anyone stole his herpes creme from his desk. He took it to HR who immediately issued two written warnings for fail to follow security process, they would have walked him on the spot because three violations but they cut him some slack and held off on the full blitzkrieg.

Group policy op. Group fucking policy. It doesn't matter if the users have local admin rights either, you can still enforce the timeout lock and not let them override it. This is really basic shit and I suggest you ask your employer to send you to some training classes.

When I first worked in a ghetto call center, there was no assigned seats. So everybody was fighting for a desk to work at. So if you didn't lock your computer, niggas would log you off.

I lock my shit every since dealing with that crap. My current Jobs will prank people who don't lock their machine. My current job as autolock group policy.

Hire my firm and we'll scare the management shitless and they'll also need to justify the high fee they just paid us by doing things that are, get this, the actual law

>For some really stupid reason all users have admin rights and corporate won't change it. They fixed that on new computers they send us, by making only select users admins, but that doesn't fix all the old computers we have. I can't fix it myself because they're on a domain and the controller won't let me make changes to the groups on individual computers. I can't make any changes to the domain.

Nigga, fuck lockscreens- you need to sort that shit out. Take it to management and go through your HIPAA with all the shit you're at risk of right now.