You're caught in the classic "Windows NT Security Catch-22" You're trying to perform an administrative task - using a user's context (logon script). When you really think about it - anything that can be done in the login script can also (by default) be un-done by the user.

I think you might only have one option here - and that is to build an "administrative" KiXtart script that scans a list of hostnames (in a flatfile), then copies floplock out to each workstation, then uses something like XNET and SC to remotely install and activate it...

The other benefit of doing it remotely is that once it's installed on all your workstations - you can discard the script - as opposed to having to leave it in the logon script (forever) to support future workstation deployment (assuming that you'll be rolling FLOPLOCK into your new "workstation images")

I mean - the only other thing you can do is to "hide" the A: drive - and we all know what a "joke" that is...

It's too bad Microsoft didn't design the logon process to run at an "elevated" security level (eg, at local admin level). If properly implemented, I don't think this would have introduced many serious security holes. Oh well !

How many workstations are we talking about here ?

-Shawn