Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

script at logon

139 views
Skip to first unread message

Fernando

unread,
Feb 3, 2005, 10:54:41 AM2/3/05
to
Dear all,

If you could help in here:

I've got a few machines (XP) which have to go to a Library
to give service to all the users within the domain (login
agains a W2K server).

The point is, no matter which user logs in, I want these
machines to run the library software and just the library
software so they cannot access any other feature and not
even the start button and opening any other programs.

I cannot set user scritps policies because they might
logon on other machines which has nothing to do with the
library software.

Any ideas or direction I should be looking at?

Regards,

Fernando.


Torgeir Bakken (MVP)

unread,
Feb 3, 2005, 11:37:51 AM2/3/05
to
Fernando wrote:

Hi

E.g. configure the computer to use your app as the shell instead of
explorer.exe. You can do this change with a registry edit.

The shell to be used is specified in the Shell value under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Create the value if it does not exist. Default is Explorer.Exe, that
will start the windows desktop.

--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Scott Fenstermacher

unread,
Feb 3, 2005, 4:25:02 PM2/3/05
to
With all due respect to Torgeir, I'm going to suggest configuring the
workstations to auto-logon to a single locked down account with a mandatory
profile. Allow the account to only log on to those computers. You can
assign the shell value to the registry entry of that locked down account if
you like, or lock down that account with group policy.

I might also add a script to the All Users startup group, that checked the
username and/or group membership, and if it didn't need to log onto that
machine, execute something like "shutdown -l" to log the user off.

Having never tried modifying the shell registry value, it makes me nervous
to try it on the Local Machine hive. If you aren't able to access Explorer
or the shell, how do you make changes later? Wouldn't that make updates and
patches unduly difficult? This is why I'd opt for the locked-down account
approach, it seems easier to give the administrator access to the machine
when it's needed.

--
Scott Fenstermacher
Network Engineer
Levi, Ray and Shoup, INC

"Fernando" <anon...@discussions.microsoft.com> wrote in message
news:0ec501c50a08$abf4a400$a401...@phx.gbl...

anon...@discussions.microsoft.com

unread,
Feb 4, 2005, 7:15:34 AM2/4/05
to
Dear Torgeir,

Thank you for your answer. I will live this option in the
background for a while for the reasons Scott explained: I
have never hidden the shell or the Explorer in such a way
and I'm not sure how I could recover it (i.e. how could I
edit the register again to change the values).

Regards,

Fernando.

>.
>

Fernando

unread,
Feb 4, 2005, 7:13:21 AM2/4/05
to
Dear Scott,

Thanks for your idea. Just a couple of things: i need to
have a control about the users using the computers so I
want them to logon in the domain.

I might have misunderstood, but it sounds to me that your
method (locked-down account) will be a *local* auto-logon
to the machine.

What do you think?

Fernando.

>.
>

Torgeir Bakken (MVP)

unread,
Feb 4, 2005, 10:43:47 AM2/4/05
to
anon...@discussions.microsoft.com wrote:

> Dear Torgeir,
>
> Thank you for your answer. I will live this option in the
> background for a while for the reasons Scott explained: I
> have never hidden the shell or the Explorer in such a way
> and I'm not sure how I could recover it (i.e. how could I
> edit the register again to change the values).

Hi

The way to recover is to press Ctrl+Alt+Delete and then select
"Task Manager", then "New Task...". You can now start regedit.exe,
or explorer.exe or any other program you want to. If you don't
want ordinary users to be able to do the same, you will need
to configure a policy that disable it for them, e.g. the
"Remove Task Manager" policy under "User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options"


Also, if you are not able to add a logoff routine to your library
software, you will need to add something that does log the user off
when the user exits the library software.

You could e.g. add the script below in a scheduled task that is
configured to start at user logon.

The script goes into a loop and checks for an executable every
second (notepad.exe in this example). When it detects that the app
is not running, the script will log off the user.


'--------------------8<----------------------

Const EWX_LOGOFF = 0
Const EWX_FORCE = 4

sProcessName = "notepad.exe"

sComputer = "." ' use "." for local computer

' necessary to use the RemoteShutdown privilege to log off another
' user than the one defined in the scheduled task.
Set oWmi = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(RemoteShutdown)}!\\" _
& sComputer & "\root\cimv2")

WScript.Sleep 5000 ' wait 5 seconds before starting checking

Do
Set colProcessList = oWmi.ExecQuery _
("Select * from Win32_Process Where Name = '" & sProcessName & "'")

If colProcessList.Count = 0 Then
Exit Do
End If
WScript.Sleep 1000 ' wait 1 second before checking again
Loop

Set colOpSys = oWmi.ExecQuery("select * from Win32_OperatingSystem")

For Each oOpSys in colOpSys
Set oOS = oOpSys : Exit For
Next
oOS.Win32shutdown EWX_LOGOFF + EWX_FORCE

'--------------------8<----------------------

Scott Fenstermacher

unread,
Feb 4, 2005, 11:42:56 AM2/4/05
to
You can make the autologon account local or domain. You can do it either
manually (http://support.microsoft.com/kb/315231) or with the TweakUI
PowerToy
(http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx).

--
Scott Fenstermacher
Network Engineer
Levi, Ray and Shoup, INC

"Fernando" <anon...@discussions.microsoft.com> wrote in message

news:15be01c50ab2$eb29aa80$a401...@phx.gbl...

Al Dunbar [MS-MVP]

unread,
Feb 5, 2005, 1:46:35 AM2/5/05
to
I think what Fernando wants, though, is to have some control over who is
using the app or the computers, or at least be able to monitor who it is. If
they all use the same account, domain or local, then he can only go by what
identity they use to logon to the application itself, if it even has its own
logon.

/Al

"Scott Fenstermacher" <Scott.Fen...@lrs.com> wrote in message
news:ObLmCitC...@TK2MSFTNGP15.phx.gbl...

Fernando

unread,
Feb 7, 2005, 6:23:50 AM2/7/05
to
Ok, that's exactly what I need.

The application is, by the way, nothing else but Internet
Explorer, since the library software runs under a
webservice (citrix).

So far what I have done is:

1. Create a new OU called "library"
2. Add the Library-computer to the OU
3. Create a new Library Group Policy obejct for the OU
4. Configure for both, machine and user, to run
iexplore.exe at logon, but it doesn't seem to work.
5. Run the script provided by Torgeir to log off as soon
as iexplore.exe is not running, but the scripts doesn't
execute at logon.

I haven't sorted the shell thing either. When I change the
parameter in the Regedit from explorer.exe to
iexplore.exe, at any logon (local or domain) it only show
a black window. If I open Task Manager, neither the script
nor the iexplore.exe are running.

I've got the ideas clear of what I need (that's a step!!),
but I haven't achieved any of them yet.

Only the script works, and is thanks to Torgeir!!!

Any ideas?

Thanks to all,

Fernando.

>.
>

Torgeir Bakken (MVP)

unread,
Feb 7, 2005, 2:23:26 PM2/7/05
to
Fernando wrote:

> I haven't sorted the shell thing either. When I change the
> parameter in the Regedit from explorer.exe to
> iexplore.exe, at any logon (local or domain) it only show
> a black window. If I open Task Manager, neither the script
> nor the iexplore.exe are running.

Hi
As explorer.exe is not running, the "App Paths" entries are not "live",
and you cannot use iexplore.exe without explicit add the path to it.

For iexplore.exe, you will need to add the full path in the Shell
registry value, like this (you need to include the quotes as well"):

"C:\Program Files\Internet Explorer\iexplore.exe"

If you want to start it at a specified Web page:
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/


But I see now that it is much easier to put a VBScript in the Shell
value, and let the script start Internet Explorer, let the script wait
for the exe to finish, and then run the logoff code from the script.

Put the script below into the Shell value like this:

wscript.exe "some path to .vbs file here"

(wscript.exe is in the path, so you do not need any explicit path in
front of it).


'--------------------8<----------------------

Set oShell = CreateObject("WScript.Shell")

sAppPathsBase = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\"

' exe path is in the default value
sAppPathExe = oShell.RegRead(sAppPathsBase & "iexplore.exe" & "\")

' start IE and wait for it to close
oShell.Run """" & sAppPathExe & """ http://www.google.com", 1, True

' if no URL is necessary, use this instead:
'oShell.Run """" & sAppPathExe & """"

' start logoff

Const EWX_LOGOFF = 0
Const EWX_FORCE = 4

sComputer = "." ' use "." for local computer

Set oWmi = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown)}!\\" _


& sComputer & "\root\cimv2")

Set colOpSys = oWmi.ExecQuery("select * from Win32_OperatingSystem")

Fernando

unread,
Feb 8, 2005, 7:46:28 AM2/8/05
to
Torgeir,

The only inconvenient I see is that this requires making most of the changes
in the client machine. Since I have to configure 10 machines (for the
moment), I'd rather have the scripts execution configured in the server
side.

I'm almost there: the machine logs on properly, it runs the script (which I
have specified in the OU group policies) and the iexplore.exe should start
as well. The problem is that the iexplore.exe will not run until the script
finishes and the script logs you off since there is no iexplore.exe running.
I have to find a way to run the program before the script and, as far as I
understood, the scripts always run before the explore.exe is loaded.

If I manage to do this, my idea is to disable the star button from the
client machine for which, I believe, you have to modify some values in the
register which I haven't found yet.

Thank you so much for all your help.

Fernando.


"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:OrTf9pUD...@TK2MSFTNGP12.phx.gbl...

Torgeir Bakken (MVP)

unread,
Feb 8, 2005, 8:51:57 AM2/8/05
to
Fernando wrote:

> Torgeir,
>
> The only inconvenient I see is that this requires making most of the changes
> in the client machine. Since I have to configure 10 machines (for the
> moment), I'd rather have the scripts execution configured in the server
> side.
>
> I'm almost there: the machine logs on properly, it runs the script (which I
> have specified in the OU group policies) and the iexplore.exe should start
> as well. The problem is that the iexplore.exe will not run until the script
> finishes and the script logs you off since there is no iexplore.exe running.
> I have to find a way to run the program before the script and, as far as I
> understood, the scripts always run before the explore.exe is loaded.
>
> If I manage to do this, my idea is to disable the star button from the
> client machine for which, I believe, you have to modify some values in the
> register which I haven't found yet.

Hi

No, there is no way to disable the Start button, but you can make it
pretty "empty".

In the Group Policy editor, take a look at the settings under
User Configuration\Administrative Templates\Start Menu and Taskbar\

If you don't remove the Logoff button, you can drop the logoff script,
and let the users log off themselves the usual way, using the Start
button.

0 new messages