| rogerfleming |
| (Lurker) |
| 2005-05-18 12:49 AM |
How to change the user defined for @USERID
|
I have a need to configure the KIX to use a different domain user then the user who is login to the workstation. Can this be done, and how would it be evaluated with ingroup condition? This is to allow multiple users to use the same machine without logging out and logging in as a different user.
NTDOC
|
| (KiX Master) |
| 2005-05-18 12:53 AM |
|
|
Re: How to change the user defined for @USERID
|
It can not be done as you explain. The @USERID applies to the currently logged on user account.
| Les |
| (KiX Master) |
| 2005-05-18 12:54 AM |
Re: How to change the user defined for @USERID
|
Huh?
| rogerfleming |
| (Lurker) |
| 2005-05-18 05:35 PM |
|
Re: How to change the user defined for @USERID
|
Background information: We are a health care company who has workstations shared my multiple users. We are implimenting a Single Sign-On solution which authenticates differant users to the desktop. The workstation remains logged on the network as a generic user account. The SSO program can lunch the Kix Script during the unique user login, but the @USERID only sees the generic login account. We would like to change the @USERID to the SSO Login account which is a Active Directory account. We have validated the we can change the environmental variable of the USERNAME for the currently login account, but it seems KIX does not use this to determine the @USERID. I guess the question is what does @USERID use to determine the currently logged in account. So that we can change the variable and then have KIX evaluate the new account name for ingroup clause.
Thanks,
Roger Fleming
|
Allen
|
| (KiX Supporter) |
| 2005-05-18 06:00 PM |
|
Re: How to change the user defined for @USERID
|
I doubt you are going to have much luck changing @userid macro. If your program can pass a variable or you somehow have access to the username you can still pass it to your script, for example:
kix32 logon.kix $userid="person"
{edit: you mention having access to environmental variables... maybe this will work...
kix32 logon.kix $userid="%username%"
}
| maciep |
| (Korg Regular) |
| 2005-05-18 06:40 PM |
|
Re: How to change the user defined for @USERID
|
Just out of curiousity, what is your single-sign-on solution? And what are you trying to accomplish exactly? We use Sentillion and I wrote and maintain the ever-changing logon script for it. And the only time we have a need to know who's in context (and the previous user who was in context) is during that logon .
|
Richard H.
|
| (KiX Supporter) |
| 2005-05-18 07:10 PM |
|
Re: How to change the user defined for @USERID
|
Quote:
We have validated the we can change the environmental variable of the USERNAME for the currently login account
Why not just use %USERNAME% in your scripts instead of the @USERID macro?
|
NTDOC
|
| (KiX Master) |
| 2005-05-18 07:14 PM |
|
|
|
Re: How to change the user defined for @USERID
|
Well perhaps I'm missing something here, but I see that as a big security flaw. You now have an impossible task of auditing user actions on the system. By using a "generic" logon you leave yourself open to any form of internal hacking (claims of 80% of all hacking originate internally are often quoted) and no good method to audit it since most if not all tracks will trace back to this generic account.
| maciep |
| (Korg Regular) |
| 2005-05-18 07:31 PM |
|
Re: How to change the user defined for @USERID
|
Doc, i'm assuming these shared users are nurses and doctors on a nursing unit. And at least here, those machines are locked down. And it makes sense to have a generic account since there are many many different users that will be using these machines. There's no need to fill the machine up with profiles for every user of the desktop. Plus when it comes to GPOs and standardizing machines of this type, not having a generic account is a maintenance nightmare.
Also, a lot of the users probably flow from floor to floor and possibly building to building, so it just makes sense to have an account for each area that everyone uses. If you secure your desktops correctly, audit tracking becomes much less of an issue.
|
NTDOC
|
| (KiX Master) |
| 2005-05-18 07:45 PM |
|
|
|
Re: How to change the user defined for @USERID
|
Yes, I can understand it. Just saying - it is a security risk that one has to determine if the risks outweigh the costs. In the given circumstances I would have to agree that the costs do outweigh the risks for the given scenario.
That given though... what does one need to run a KiX script against a specific user for? What are you trying to accomplish for each user?
| maciep |
| (Korg Regular) |
| 2005-05-18 07:56 PM |
|
Re: How to change the user defined for @USERID
|
The OS logs on with the generic account. Then the user logs into context (google "CCOW" for more info). Any apps that are CCOW compliant will automatically log that user in. The CCOW solution will keep track of the context (user, patient and possibly others). So if a patient's info is loaded in one app and they launch another, that patient will be loaded there as well. Which is the ultimate goal in the end run.
when the users log out of CCOW however, it does not logoff of the OS. Therefore, any non-CCOW compliant apps they had opened (ones they have to log into manually) will remain open with their credentials. My logon script closes those apps when a new user logs on.
|
NTDOC
|
| (KiX Master) |
| 2005-05-18 08:06 PM |
|
|
|
Re: How to change the user defined for @USERID
|
Thanks for the update Maciep. Appreciate it. Have not used such software methods yet.
http://www.hl7.org.au/CCOW.htm
http://www.orionhealth.com/concerto_technical_ccow.htm
Quote:
The HL7 CCOW (Clinical Context Object Workgroup) Standard is vendor independent and allows clinical applications to share information at the point of care.
Using a technique called "context management", CCOW provides the clinician with a unified view on the information held in separate and disparate healthcare applications referring to the same patient, encounter or user. This means that when a clinician signs onto one application within the group of disparate applications tied together by the CCOW environment, that same sign-on is simultaneously executed on all other applications within the group. Similarly, when the clinician selects a patient, the same patient is selected in all the applications. CCOW then builds a combined view of the patient on one screen.
CCOW works for both client-server and web-based applications. The acronym CCOW stands for "Clinical Context Object Workgroup", a reference to the standards committee within the HL7 group that developed the standard.
Citrix Solutions for CCOW
http://www.citrix.com/English/PS/industries/feature.asp?industryID=1412&featureID=14448
| rogerfleming |
| (Lurker) |
| 2005-05-19 12:18 AM |
|
Re: How to change the user defined for @USERID
|
Here is our script;
if ingroup("abcdef")
use E: /d
use E: \\abc123\abcde123
endif
What we want to do is provide a Global user variable to have the KIX script use in evaluating the ingroup clause. We believe it is using the @USERID Macro. What user ID does the KIX used to be applied against the "use" command?
Also this SSO solution is Etrust SSO from Computer Assocaites
Any ideas?
Thanks,
Roger Fleming
| Kdyer |
| (KiX Supporter) |
| 2005-05-19 01:02 AM |
|
|
Re: How to change the user defined for @USERID
|
You are very close.. you need to surround your Server\Resource to be:
Code:
if ingroup("abcdef")
use E: /d
use E: "\\abc123\abcde123"
endif
HTH,
Kent
|
NTDOC
|
| (KiX Master) |
| 2005-05-19 01:23 AM |
|
|
|
Re: How to change the user defined for @USERID
|
Kent they still can't do an InGroup with that macro though.
You would probably need to use some ADSI code for group enumeration based on the userid from the environment.
Please check out the Microsoft Script Center for many examples that can easily be converted to KiXtart.
If you're unable to locate one sufficient or need assistance converting it to KiXtart let us know.
| rogerfleming |
| (Lurker) |
| 2005-06-02 10:58 PM |
|
Re: How to change the user defined for @USERID
|
We found this method to work correctly except it loops the function after each if $group statement. Do you have any ideas to store the groups list to a table stored in memory as the script evaluates each if $group statement?
Thanks,
cls
color g+/n
? " Please Wait While Your Login Script Executes...."
color n/n
; Arlington Logon Script
Function UserGroups($target,$user,OPTIONAL $datatype)
DIM $group, $temp[2], $i
$user = getobject("WinNT://$target/$user,user")
if @error <> 0 and vartype($user) <> 9 exit(@error) endif
for each $group in $user.groups
select
case $datatype = 0 ;return the group.name
$temp[$i] = $group.name
case $datatype = 1 ;return the groupobject
$temp[$i] = $group
case $datatype = 2 ;return the group.adspath
$temp[$i] = $group.adspath
case 1
exit(1)
endselect
if $i = ubound($temp)
redim preserve $temp[$i+2]
endif
$i = $i+1
next
if $i <> 0
redim preserve $temp[$i-1]
$UserGroups = $temp
else
redim preserve $temp[$i]
$usergroups = ""
endif
exit(0)
endfunction
if $SSOUSER
$groups = UserGroups(@domain,$SSOUSER)
;for each $group in $groups ?$group next
ELSE
$groups = UserGroups(@domain,@USERID)
;for each $group in $groups ?$group next
ENDIF
for each $group IN $groups
IF $group = "Epic Hyperspace"
use x: /d
if $cgroup
use x: "\\ftwgen01\mlsreports" /user:$SSOUSER /password:$SSOPWD
ELSE
use x: \\ftwgen01\mlsreports
ENDIF
ENDIF
IF $group = "ftwgen01.mlsreportsR"
use x: /d
if $cgroup
use x: \\ftwgen01\mlsreports /user:$SSOUSER /password:$SSOPWD
ELSE
use x: \\ftwgen01\mlsreports
ENDIF
ENDIF
; REM ************************************************************************
; REM App drive F:
IF $group = "ARL"
use f: /delete
if $cgroup
use f: "\\ftwgen01\arl apps" /user:$SSOUSER /password:$SSOPWD
ELSE
use f: "\\ftwgen01\arl apps"
ENDIF
ENDIF
; REM ************************************************************************
| Sealeopard |
| (KiX Master) |
| 2005-06-04 02:37 PM |
|
|
Re: How to change the user defined for @USERID
|
You're missing the NEXT for the FOR EACH. Please use the [CODE] tags when posting code and properly indent code to make it easier to read.