system.login.screensaver> rule> "authenticate-session-owner-or-admin"
should just be >"authenticate-session-session-owner". So far this has
worked well. Good Luck!
Jim Bala over on the OS X admin list posted this earlier about the
screensaver.
http://discussions.apple.com/thread.jspa?threadID35793&tstart=0
Summary:
In 10.5: Admin can unlock anyone's screen saver.
In 10.6: Admin can unlock non-admin user's screen saver. Admin can
*not* unlock another admin's screen saver, regardless of what
/etc/authorization says. The file that controls this access is
/etc/pam.d/screensaver. /etc/authorization can override what the pam.d
file says but PAM overrides pretty much everything with respect to
authentication and authorization.
Regarding mucking-about with PAM stuff:
I can't stress strongly enough how important it is that you not mess
with PAM stuff without knowing precisely what you're doing and what
effect(s) your change(s) will have. And, whatever you do, make a backup
copy of any file you modify in /etc/pam.d -- before you make the
changes, of course. Do not log out of your admin account to test pam.d
changes -- use fast user switching or login remotely via ssh or ARD --
so you can undo your changes if they turn out to break something.
Breaking PAM can easily prevent anyone, including root, from logging in
and/or can make sudo unusable.
Just an FYI.
- JD
