system wide macro's with doskey

[Djeezus]

Hy all,

I have a simple question I guess,
but I just can't figure it out.

How do I make a custom doskey macro system wide available with Win2k
cmd.exe. If I open up a cmd shell, and declare a macro, it works
fine, but if I open another shell ... the macro is not available in
this new shell.

This is different behaviour than in Win9x dos (what a surprise).

Oh yes, I don't want to work with shortcuts or pifs or whatever, just
a nice clean dos solution is what I'm looking for ;-)

Thnx,
Gert

[Djeezus]

Hya all,

I've found the solution,
and I'm posting it for anyone who wants to know.

first create a batch with the doskey macros in 'm,
than create a registry key REG_SZ in
"HKEY_CURRENT_USER\Software\Microsoft\Command
Processor" (or LOCAL_MACHINE, whatever flavour you prefer) called
"AutoRun", and add as value the path and filename of the batch you
just created. Now this batch will be executed every time an instance
of cmd.exe is started.

NOT thanks to Micro$oft ! :p

Cya,
Gert

[Ritchie]

Hi Gert,
Instead of 'hardcoding' your batch file to the AutoRun key, consider
using a REG_EXPAND_SZ value and set it to something like '%autorun%'.
Then create an environment variable with the same name, and set its
value to your batch file. Advantages being you can redefine or disable
the AutoRun feature on-the-fly.

--
Ritchie
Undo address for email.

"Djeezus" <gert.va...@medisearch-int.com> wrote in message news:pa9jiu44tt760u14q...@4ax.com...

[Djeezus]

Hi Ritchie,

thnx for the tip, but I need to make sure that the users won't be able
to turn this "feature" off. The macros contain some essential
aliases. (net=echo Permission denied)
Is there like any other (better) way that u know of, to sort of give
the impression that certain commands are disabled ? I've always used
doskey macros, and they were always efficient, but not 100% secure.

Cya,
Gert

[Frank]

Djeezus <u80miucujp4t1qtk0...@4ax.com>...

^ Is there like any other (better) way that u know of, to sort of give
^ the impression that certain commands are disabled ?

You could copy everything in "%SystemRoot%\system32" (and other
directories) that they can have access to into a "%SystemRoot%\bin", place
"%SystemRoot%\bin" in their path, and deny them access to
"%SystemRoot%\system32" (and the other directories).

Frank

[Al Dunbar]

"Djeezus" <gert.va...@medisearch-int.com> wrote in message

news:u80miucujp4t1qtk0...@4ax.com...

> Hi Ritchie,
>
> thnx for the tip, but I need to make sure that the users won't be able
> to turn this "feature" off. The macros contain some essential
> aliases. (net=echo Permission denied)

I don't think it matters what you do, unless you can somehow ensure that
none of the users know how to:

- determine what doskey macros are in effect (doskey /macros), and:
delete them (doskey net=)

- specify the prohibitted executable with a path (C:\winnt\system32\net)

> Is there like any other (better) way that u know of, to sort of give
> the impression that certain commands are disabled ? I've always used
> doskey macros, and they were always efficient, but not 100% secure.

IMHO, giving "the impression" of security and actually having it are two
completely different things. And further, "the impression" will make you
look very bad when it is found out as such.

As Frank suggests, I would look to NTFS file permissions for what you want.

/Al

[Djeezus]

I agree 100% on the security issue, but I think it's more a design
flaw of Win2k when they boast with their time synch across an entire
Win2k domain, with Win2k clients and servers ...
all very nice, but what if the pdc is a WinNT ... and I use a samba
box for time synch ?
I need to grant the users access to the "net" command, net time
\\tuxbox /set /yes
Apart from that they also need to have the ability to change the
system date / time. Sure, Poweruser can do this, but what other sort
of things can they do also? Way to much for security reasons...
And why can't a normal user add a static route to his win2k box ?

The logon script executes all these "net" commands, and as far as I
know, the logon script executes under the account of the person that
logs on, right ? So, placing secure acl's on the commands "net, time,
date, whatever ...) will make no difference, or am I seeing this wrong
?
So this is why I'm doing these strange hacks, not because I like'm,
but because i'm forced to.

Any suggestions or comments much appriciated

Cya,
Gert

[Walter Salvatore]

Read up on 2000 secruity first of all.
You are running on mis-information.
For the time, use the Time Service from the NT4 server resource kit.
It works just fine with an NT4 PDC, or even a workstation acting as a time
server. If you want to use the samba box, have the PDC synch it's time to it
and have the workstations sync to the PDC. You install the time service as a
service, so the users do nothing. The time is set automatically by the
system.
There are only 2 files that would have to be copied into the \WINNT folder
on each machine, but this can be done in a few minutes with a batch.
Installing the service can also be done from a batch, so you could do the
entire operation in 1 batch file and complete several hundred computers in
no time at all.

Second, You can give users the right to change system time, and ONLY system
time using the resource kit and a batch file, for example:
----------------------------------------------------------------------------
@echo off
cls

:DO
for /f %%p in (pc.lst) do call :TIME %%p goto :END
:END
exit
:TIME
echo Setting Time Permissions for PC: %1
ntrights -u "domain users" -m %1 +r SeSystemTimePrivilege >> timelog.txt
----------------------------------------------------------------------------
--

This takes the computer names from a text file called pc.lst, and gives
domain users the right to change the time on each of the remote computers in
that list.

"Djeezus" <gert.va...@medisearch-int.com> wrote in message

news:fjuniu4incu7ephdk...@4ax.com...

[Djeezus]

>Read up on 2000 secruity first of all.
>You are running on mis-information.
>For the time, use the Time Service from the NT4 server resource kit.
>It works just fine with an NT4 PDC, or even a workstation acting as a time
>server. If you want to use the samba box, have the PDC synch it's time to it
>and have the workstations sync to the PDC. You install the time service as a
>service, so the users do nothing. The time is set automatically by the
>system.

The samba box uses ntp to synch time over the Internet, all
win9x/win2k/NT clients & servers use "net time" to synch with this box
(lan). So time synch is no problem or issue for me ... it's about
lack of sensible security in Win2k.

>There are only 2 files that would have to be copied into the \WINNT folder
>on each machine, but this can be done in a few minutes with a batch.
>Installing the service can also be done from a batch, so you could do the
>entire operation in 1 batch file and complete several hundred computers in
>no time at all.

And I suppose that these 2 files could also be used for other purposes
? What files do you mean ?

>
>Second, You can give users the right to change system time, and ONLY system
>time using the resource kit and a batch file, for example:
>----------------------------------------------------------------------------
>@echo off
> cls
>
>:DO
> for /f %%p in (pc.lst) do call :TIME %%p goto :END
>:END
>exit
>:TIME
> echo Setting Time Permissions for PC: %1
> ntrights -u "domain users" -m %1 +r SeSystemTimePrivilege >> timelog.txt
>----------------------------------------------------------------------------

That's the main issue, the logon script that runs every time they
logon will synch the time for them, I changed that in Local Security
Settings -- Local Policies -- User Rights Assignment.

But after that they shouldn't be able to have access to the time.
So How can I disable that ?

All comments much appreciated as ever ;-)

Thnx,
Gert

[Djeezus]

Wait a sec,
do you mean to install a "Win2k" service (run with System account) to
sync the time with any domain member? Is there a service like that,
is it on the WinNT resource kit CD, or included in Win2k ?

The thing I read was that if Win2k is PDC, the Win2k clients would
sync automatically, but only if PDC is Win2k, otherwise I'd need to
use "net time" or "ntp" stuff ...

That would be the solution indeed,
is there something like that too so that regular users can add static
routes in Win2k ... Is there a place I can go to read up about this ?

Thnx,
Gert

[Walter Salvatore]

That is what I said in my previouse post.
I have all of our win2k clients syncing with our NT4 Exchange server, it's
not even the PDC and it works just fine.
It's on the NT4 server resource kit CD. The 2 files cannot be used for
anything else, thay are the time service files, (timeserv.exe and
timeserv.ini).
You have to edit the .ini file to point to the server that the main machine
will use. that computer is the time "server". You edit the same file for the
workstations, but tell them to get thier time from the "server".
You install the service remotely on the workstations after these files are
copied. I did 85 computers this way and it took less then 25 minutes to
complete the whole process. I have not seen anything on static routes, so I
am afraid I can't help you there, but check through the resource kit. It's
incredible what is actually in there.

"Djeezus" <gert.va...@medisearch-int.com> wrote in message

news:ekioius13c3qif6ej...@4ax.com...