Itried REGINI, FlOPPYLOCK, all this need Local Admin Privilage,I havent seen any solutin on preevious archives also.

Any other way???

You're caught in the classic "Windows NT Security Catch-22" You're trying to perform an administrative task - using a user's context (logon script). When you really think about it - anything that can be done in the login script can also (by default) be un-done by the user.

I think you might only have one option here - and that is to build an "administrative" KiXtart script that scans a list of hostnames (in a flatfile), then copies floplock out to each workstation, then uses something like XNET and SC to remotely install and activate it...

The other benefit of doing it remotely is that once it's installed on all your workstations - you can discard the script - as opposed to having to leave it in the logon script (forever) to support future workstation deployment (assuming that you'll be rolling FLOPLOCK into your new "workstation images")

I mean - the only other thing you can do is to "hide" the A: drive - and we all know what a "joke" that is...

It's too bad Microsoft didn't design the logon process to run at an "elevated" security level (eg, at local admin level). If properly implemented, I don't think this would have introduced many serious security holes. Oh well !

How many workstations are we talking about here ?

-Shawn

have you ever thought of disabling it at a lower level ? Means disable it in the BIOS ?
Could be an alternative if there are not too many Workstations ...

Jochen

_________________________

Shawan-- I think ur suggetion is bit complex way, I 'll see it as a last option.

jpols-- I have more than 200 WKS scatered diffrent locations it's very hard to go induviduel pc's and work on BIO's setup.

I wish if I could get any Utility.

ok, i see : BIOS is no option for you ...

Have you already tried shipping around Security with SU.exe .?
just start a search on Starters and Scripts forums searching for SU and you'll get a 100+ hits .

Jochen

[This message has been edited by jpols (edited 06 June 2001).]

_________________________

i replied to your mail !

Jochen

_________________________

http://www.winguides.com/registry/display.php/210/

Hope it'll help you.

[This message has been edited by Strøm (edited 06 June 2001).]

could u specify a bit more??

Like which file and how ??

-Shawn

SU works great. It is possible to make your administrator password
invisible by using the tools
bat2exec and secure21
which you can find at our site
http://home.wanadoo.nl/scripting
Information on the board
http://kixtart.org/board/Forum2/HTML/001443.html
http://kixtart.org/board/Forum2/HTML/001558.html

Another way is the usage of policy settings, which work always with the
sufficient rights.
Greetings.

------------------
Site map:

• scripting@wanadoo.nl
  
• History of Site/Last info of Site
  
• Links to Favorite Sites
  
• Summary of Site
  

Well ... start Scheduler Service in system account ... have AT open a CMD, then the key should be editable (sorry, I can't get to test right now.).

Roll-out by using system policy.

cj

Any way ??

Bryce

------------------
kix.isorg.net

Have you tried regkey
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, AllocateFloppies, 0, REG_SZ" ?

I have not tried, but hack resource indicates value of 0 locks access except for all administrators in the Domain, value of '1' only the user logged on locally can access the floppy disks in the drive.

I have not tried this, nor am I sure a non-Admin can write to this key. Should only work in WinNT/2K. If you try in your test environment, please let the Board know how things went.

Bill

I am very close to victory……. See my code

$flokey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Floppy\"
$flokeyval="Start"
$Flodata="4"
$flotype="REG_DWORD"

$rkey=readvalue($flokey,$flokeyval)

if (ingroup ("ITD Global Group") or INGROUP("ENABLEDA"))= 0
if ($rkey <> $Flodata)
shell "call \\server\hideshare$\log1.bat"
$wr=WRITEVALUE($flokey,$flokeyval,$flodata,$flotype)
endif
endif

Log1.bat

\\fileprintho\ssaver$\su 000182 < c:\pass.txt “\\sever\hideshare$\regini \\server\hideshare$\reg.txt”

Now my only concern is about reg.txt which is a plain text , A high security breech !!!

How can I tackle this ??

Hey …….. Thanks very much for ur valuable suggestion guys…. Really it helped me a lot..

PASS.TXT WHERE I AM WRITING ADMIN PASSWORED