Re: How to force a logoff in a logon script?


Hi Al,


I didn't rename explorer.exe nor changed it in any way. Windows has a registry key that governs which UI (explorer) will be presented
to the user, you can get a list of such applications here:

http://en.wikipedia.org/wiki/Desktop_shell_replacement


Anyway, it is similar to terminal services where you can replace the shell to a terminal user. The registry key, "shell", can be found under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Similar key is available in the Current User Hive.


The aggreement application was also writing to a database so "proof" can be polled out anytime.
My requirments was not to disallow users from logging in, it was to verify that they know what they are doing an to write it to a database.
There isn't one way to achieve it, it realy depends on your needs and requiremnts.

As for the built-in custom popup message. It lacks design, colors, new lines etc.

Finally, to clarify how did I do it:

1. You write a custom exe file (gui form, it can also have no gui) that implement your checks (group membership etc).
2. Put it in system32 directory.
3. Update the above regkey with tha name of the new exe file.
4. When a user logs in, he's presented with your form.
If he passes all requirments then you manually execute explorer.exe otherwise you log him off



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

That certainly seems an interesting approach, however, I wonder what
anomalies might result from renaming a standard windows component. Do
your users ever call to ask why the user agreement pops up when they
try to run explorer from a command prompt window?

It seems to me (and others that have commented on the apparent need to
do this as expressed in various similar threads) that this is not
necessary, and possibly counter-productive, as windows basically does
this for you, i.e.:

- user enters ctrl-alt-del
- typical message pops up stating that only authorized users are
allowed to
logon.
at this point, one of three things happen:

- the authorized user logs on
- the unauthorized user cancels the logon dialog and goes away
- the unauthorized user logs on (if he can)
In your scenario:

- user enters ctrl-alt-del
- some sort of message might popup, I don't know what you do here, and
user
hits "OK" button.
- user logs on
- your agreement.exe pops up and asks whatever it asks
at this point, one of three things happen:

- the authorized user presses "OK", his logon completes, and he starts
working.
- the unauthorized user presses "Cancel", is logged off, and he goes
away.
- the unauthorized user presses "OK", his logon completes, and he does
whatever he does.
In neither scenario (yours or the default windows setting) is
unauthorized use actually prevented, as that would only result from an
honest unauthorized user.

now supposing the owner of the network takes someone to court,
charging unauthorized use. In the windows scenario, the judge asks if
the person saw or read the message - if he can be believed when he
says no, and gets off, then no trespassing signs everywhere will be
replaced by machine gun emplacements, as it will be shown that warning
signs have no legal standing.

so the guy says he read the sign saying he was not allowed to use the
system, but complains that there was no cancel button, only an OK
button. the judge points out that, knowing he was not supposed to
logon, he should have realized that he was meant to cancel the logon
dialog.

In your scenario, the judge asks the same questions. Since the guy
clearly logged on, the judge asks why he hit the "OK" button instead
of "Cancel". the guy replies that he did hit cancel, but was not
logged off, so he continued using the system, as he was only required
to respond to the dialog, which he did.

Then the judge turns to you and asks for proof that you program could
never ever fail to do what you say it is supposed to do. Since
everybody knows that software is not perfect, the guy gets off because
it is a case of his word against that of your software.

in his decision, the judge explains that, in order to protect your
network, you only need to ensure that the rules are known. If your
warning sign interacts with the user as you describe, he might get the
idea that your policy requires his agreement in order to be valid,
that it is, in a way, an optional thing.

/Al

"Shay Levi" <no@xxxxxxxx> wrote in message
news:8766a944258688ca5f55b1c222c8@xxxxxxxxxxxxxxxxxxxxx

True. OK,plan B.

I did a project once, the requirements were to display a user
aggrement message (gui form with OK/Cancel buttons) once users have
entered their hey network credentials. If the user don't accept the
aggrement then the user must be logged off.

The trick was to replace explorer.exe with my aggrement exe file (sor
of application in the middle). if the user accepts the aggreement
then I launched explorer.exe otherwise I logged him off.

I'm not sure if user logon scripts will fire at that stage but cached
credentials certainly won't be an issue.
Anyway, it's worth trying.
-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com
That will certainly cause the XP system to shutdown when someone
attempts to logon there that you want to keep out. But it will not
prevent them from logging on, as the logon script runs *after* they
logon. If they were to cancel it before it got to the shutdown
command, then the shutdown command would not run. And having to test
some group memberships would likely mean that the time window in
which they could do this would not be so short as to make it
impossible.

But, even if they could not get in that way, once they have
successfully logged in, they might be able to unplug the network
cable, log in with cached credentials, and then reconnect to the
network.

IMHO, the only reliable way to accomplish what you want is to
restrict the right to logon in the first place.

/Al

"Shay Levi" <no@xxxxxxxx> wrote in message
news:8766a9442519c8ca5d72e052d6da@xxxxxxxxxxxxxxxxxxxxx
You can use the builtin shutdown command to force logoff:

shutdown -l -f

Check the help for shutdown :

shutdown /?

-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com
I would like to create a domain logon script, that would run on
Windows XP computers, that would test for certain group
memberships. If the tests failed I would like to not allow the
user to login into that particular computer. My question is how do
I abort the logon process in a logon script? I would like to use
either a .bat or .vbs file. Thank you.



.