Re: Custom Shell and Account Switching

From: KM (konstmor_at_nospam_yahoo.com)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 11:12:31 -0800

Benjamin,

> I disagree with the auto-logon assessment.

You can easily test it on XP Pro and it works there :-)

> Else, the system would never
> be able to log back out and let the user choose a new username and
> password. The auto-logon function is there for boot-up only, from my
> experience.

Please remember about the value I mentioned a few times - ForceAutoLogon. You know what you are doing when you set the value.
Also, you can press Shift during Logon time to force Winlogon to show the Gina screen. 

-- 
 Regards,
        KM, BSquare Corp.
> So, I'm betting to get this function you will probably have to write
> some kind of GINA replacement that queries a system service for the new
> user to logon automatically.  This is sort-of a do-it-yourself fast user
> switching, but it doesn't do running two users' processes at the same
> time.  If you really need that kind of function, it's best to look at
> writing your own windows services to run in the background.
>
> Hope this helps.
> Regards,
> Ben Madsen
>
> Systems Engineer
> Massie Laboratories, Inc.
> http://www.massie-labs.com
>
> KM wrote:
> > Yaron,
> >
> > I see. Thanks for the clarifications.
> >
> > Yup, give it a try wtih Autologon. It may be what you were looking for (I used that similar way on some platforms here).
> >
> > KM
> >
> >
> >>Hi KM,
> >>
> >>I use local policies for limiting the user environment. for example, disable running the TaskManager. the local group policies
do
> >>not differs between user accounts like in a normal GPO in a domain- it is mandatory to everyone. when I login as an
Administrator
> >>I just block access to the GPO folder in windows using NTFS permissions. than, when the admin login it gets a full unlocked
shell.
> >>if I will launch the explorer without logging-off I will still have the policies effect.
> >>
> >>about the autologon- I need to test it. I might be wrong.
> >>
> >>the Techinician can enter the Settings Menu through a small "Settings" button which is secured by a password so that the user
> >>could not change the menu settings.
> >>
> >>thanks,
> >>
> >>YaronM
> >>
> >>"KM" <konstmor@nospam_yahoo.com> wrote in message news:OAinnpN6EHA.2876@TK2MSFTNGP12.phx.gbl...
> >>
> >>>Yaron,
> >>>
> >>>
> >>>>thanks for your suggestions. it seems that the FUS feature is not relevant in my case because it is not supported in a Domain
> >>>>environment.
> >>>>the reason why I can't run the Explorere shell using RunAs from the User logon is that I use local policies to disable the
user
> >>>>environment. therefore, the policies will effect the Explorer that I will execute.
> >>>
> >>>I am not clear what you meant here. How policies of your user account can affect Explorer that is launched under Admin account?
> >>>
> >>>
> >>>>I must do a full log-off and later logon again.
> >>>>the autologon feature will not help in this case because it is read by the system only on boot time and not after the system
> >>>>already booted, done auto-logon to the user and then logged-off.
> >>>
> >>>This is not true. The autologon settings are read on every "logon" even which also happens when you do a log off.
> >>>Please test it on target device to see how it works. (just make sure you don't forget to set ForceAutoLogon value).
> >>>
> >>>
> >>>>after re-thinking the situation, the limitation I have in the development is actually not a problem. I  will create another
> >>>>security-layer to the user and Admin, where:
> >>>>1. user works in a limited custom shell and can only operate application and turn-off the machine.
> >>>>2. a technical support technician can enter a "settings" menu where it can
> >>>
> >>>And how technician can enter (see) the Setting menu?
> >>>
> >>>
> >>>KM
> >>>
> >>>
> >>>>change a few settings of the user's custom-shell and can log-off the user to recieve the Ctrl-Alt-Delete logon screen. the
> >>>>Settings menu will only have a "save changes" button to commit the changes using the EWF.
> >>>>3. a network Administrator with the Administrator account password can enter the local Admin account using its credentials and
> >>>>recieve a full-featured Explorer Shell and the ability to enable/disable the EWF.
> >>>>
> >>>>thanks for your help.
> >>>>I hope my toughts will help someone else too.
> >>>>
> >>>>Cheers,
> >>>>
> >>>>YaronM
> >>>>
> >>>>"KM" <konstmor@nospam_yahoo.com> wrote in message news:OwMx9gM6EHA.4040@TK2MSFTNGP14.phx.gbl...
> >>>>
> >>>>>Yaron,
> >>>>>
> >>>>>Do you want to log in to the Administartor account automatically?
> >>>>>If so, you can play with Autologon settings to switch the user/password to Administrator account.
> >>>>>Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"
> >>>>>
> >>>>>As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.
> >>>>>
> >>>>>KM
> >>>>>
> >>>>>>Hi,
> >>>>>>
> >>>>>>I'm working on a custom shell for my XPe system (written in VB6).
> >>>>>>the system should automatically login to a limited-user account and run the shell.
> >>>>>>I need to add a button to the shell that when clicked will automatically log-off the current limited-user and login again as
> >>>>>>the administrator.
> >>>>>>I'm not sure how can it be done because the log-off process kills all running processes so that the batch/script can't
> >>>>>>continue to load the admin..
> >>>>>>I thought maybe I should somehow use the Fast-User-Switching feature for that purpose but I don't know how to do that.
> >>>>>>
> >>>>>>my main purpose of doing that is to create a secure working environment through a limited-user using a custom-shell, but
still
> >>>>>>allowing an Administrator
> >>>>>>to easily switch back to the Explorer shell without having to log-off and re-login.
> >>>>>>
> >>>>>>If you have any ideas or tips I would really appreiciate your help.
> >>>>>>
> >>>>>>thanks,
> >>>>>>
> >>>>>>YaronM