Re: How to force a logoff in a logon script?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Sorry, I missed that little registry detail, thanks for explaining. Given
your non-standard workstation setup, I assume you have procedures in place
to ensure that no system is ever made available to the users until it has
been configured as noted. Seems odd to have to rely on workstation
configuration to protect a server...

Your approach is certainly more detailed, however, not knowing the
complexity of the rules you present to the user it is hard to say whether or
not the vanilla windows approach would work as well for you.

As for your application actually verifying that the users know what they are
doing, do you also ask them if they know what they mean by clicking the OK
button? And should they respond that they do, can you be sure that they
aren't just clicking OK buttons just because they are there? IMHO, to do
what you really want would require them to sit some sort of exam that they
would be unlikely to pass with lucky guesses... ;-)

As to providing the proof of how they responded, that might satisfy
management, but if they were to, for example, charge someone in court or
fire them, the proof might have to stand up to a more difficult test. Until
such time as it has done so, you can only guess that it would meet with
whatever external body was involved in the case.

The way we do it, I know for a fact that most people do not actually read
the disclaimer notice. It is mainly there for our protection, and I believe
there is legal precedent to use this as evidence in a court of law...

So I guess it all depends on your needs and requirements, as you say. But if
your needs are other than legalistic, it still seems to me a bit over the
top. But then, I just noticed your tagline... ;-)


/Al


"Shay Levi" <no@xxxxxxxx> wrote in message
news:8766a944259b58ca60776193f63c@xxxxxxxxxxxxxxxxxxxxx

Hi Al,


I didn't rename explorer.exe nor changed it in any way. Windows has a
registry key that governs which UI (explorer) will be presented
to the user, you can get a list of such applications here:

http://en.wikipedia.org/wiki/Desktop_shell_replacement


Anyway, it is similar to terminal services where you can replace the shell
to a terminal user. The registry key, "shell", can be found under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Similar key is available in the Current User Hive.


The aggreement application was also writing to a database so "proof" can
be polled out anytime.
My requirments was not to disallow users from logging in, it was to verify
that they know what they are doing an to write it to a database.
There isn't one way to achieve it, it realy depends on your needs and
requiremnts.

As for the built-in custom popup message. It lacks design, colors, new
lines etc.

Finally, to clarify how did I do it:

1. You write a custom exe file (gui form, it can also have no gui) that
implement your checks (group membership etc).
2. Put it in system32 directory.
3. Update the above regkey with tha name of the new exe file.
4. When a user logs in, he's presented with your form.
If he passes all requirments then you manually execute explorer.exe
otherwise you log him off



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

That certainly seems an interesting approach, however, I wonder what
anomalies might result from renaming a standard windows component. Do
your users ever call to ask why the user agreement pops up when they
try to run explorer from a command prompt window?

It seems to me (and others that have commented on the apparent need to
do this as expressed in various similar threads) that this is not
necessary, and possibly counter-productive, as windows basically does
this for you, i.e.:

- user enters ctrl-alt-del
- typical message pops up stating that only authorized users are
allowed to
logon.
at this point, one of three things happen:

- the authorized user logs on
- the unauthorized user cancels the logon dialog and goes away
- the unauthorized user logs on (if he can)
In your scenario:

- user enters ctrl-alt-del
- some sort of message might popup, I don't know what you do here, and
user
hits "OK" button.
- user logs on
- your agreement.exe pops up and asks whatever it asks
at this point, one of three things happen:

- the authorized user presses "OK", his logon completes, and he starts
working.
- the unauthorized user presses "Cancel", is logged off, and he goes
away.
- the unauthorized user presses "OK", his logon completes, and he does
whatever he does.
In neither scenario (yours or the default windows setting) is
unauthorized use actually prevented, as that would only result from an
honest unauthorized user.

now supposing the owner of the network takes someone to court,
charging unauthorized use. In the windows scenario, the judge asks if
the person saw or read the message - if he can be believed when he
says no, and gets off, then no trespassing signs everywhere will be
replaced by machine gun emplacements, as it will be shown that warning
signs have no legal standing.

so the guy says he read the sign saying he was not allowed to use the
system, but complains that there was no cancel button, only an OK
button. the judge points out that, knowing he was not supposed to
logon, he should have realized that he was meant to cancel the logon
dialog.

In your scenario, the judge asks the same questions. Since the guy
clearly logged on, the judge asks why he hit the "OK" button instead
of "Cancel". the guy replies that he did hit cancel, but was not
logged off, so he continued using the system, as he was only required
to respond to the dialog, which he did.

Then the judge turns to you and asks for proof that you program could
never ever fail to do what you say it is supposed to do. Since
everybody knows that software is not perfect, the guy gets off because
it is a case of his word against that of your software.

in his decision, the judge explains that, in order to protect your
network, you only need to ensure that the rules are known. If your
warning sign interacts with the user as you describe, he might get the
idea that your policy requires his agreement in order to be valid,
that it is, in a way, an optional thing.

/Al

"Shay Levi" <no@xxxxxxxx> wrote in message
news:8766a944258688ca5f55b1c222c8@xxxxxxxxxxxxxxxxxxxxx

True. OK,plan B.

I did a project once, the requirements were to display a user
aggrement message (gui form with OK/Cancel buttons) once users have
entered their hey network credentials. If the user don't accept the
aggrement then the user must be logged off.

The trick was to replace explorer.exe with my aggrement exe file (sor
of application in the middle). if the user accepts the aggreement
then I launched explorer.exe otherwise I logged him off.

I'm not sure if user logon scripts will fire at that stage but cached
credentials certainly won't be an issue.
Anyway, it's worth trying.
-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com
That will certainly cause the XP system to shutdown when someone
attempts to logon there that you want to keep out. But it will not
prevent them from logging on, as the logon script runs *after* they
logon. If they were to cancel it before it got to the shutdown
command, then the shutdown command would not run. And having to test
some group memberships would likely mean that the time window in
which they could do this would not be so short as to make it
impossible.

But, even if they could not get in that way, once they have
successfully logged in, they might be able to unplug the network
cable, log in with cached credentials, and then reconnect to the
network.

IMHO, the only reliable way to accomplish what you want is to
restrict the right to logon in the first place.

/Al

"Shay Levi" <no@xxxxxxxx> wrote in message
news:8766a9442519c8ca5d72e052d6da@xxxxxxxxxxxxxxxxxxxxx
You can use the builtin shutdown command to force logoff:

shutdown -l -f

Check the help for shutdown :

shutdown /?

-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com
I would like to create a domain logon script, that would run on
Windows XP computers, that would test for certain group
memberships. If the tests failed I would like to not allow the
user to login into that particular computer. My question is how do
I abort the logon process in a logon script? I would like to use
either a .bat or .vbs file. Thank you.





.

Quantcast