Page 1 of 1 1
Topic Options
#139875 - 2005-05-18 12:49 AM How to change the user defined for @USERID
rogerfleming Offline
Lurker

Registered: 2005-05-18
Posts: 4
I have a need to configure the KIX to use a different domain user then the user who is login to the workstation. Can this be done, and how would it be evaluated with ingroup condition? This is to allow multiple users to use the same machine without logging out and logging in as a different user.
Top
#139876 - 2005-05-18 12:53 AM Re: How to change the user defined for @USERID
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
It can not be done as you explain. The @USERID applies to the currently logged on user account.
Top
#139877 - 2005-05-18 12:54 AM Re: How to change the user defined for @USERID
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Huh?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#139878 - 2005-05-18 05:35 PM Re: How to change the user defined for @USERID
rogerfleming Offline
Lurker

Registered: 2005-05-18
Posts: 4
Background information: We are a health care company who has workstations shared my multiple users. We are implimenting a Single Sign-On solution which authenticates differant users to the desktop. The workstation remains logged on the network as a generic user account. The SSO program can lunch the Kix Script during the unique user login, but the @USERID only sees the generic login account. We would like to change the @USERID to the SSO Login account which is a Active Directory account. We have validated the we can change the environmental variable of the USERNAME for the currently login account, but it seems KIX does not use this to determine the @USERID. I guess the question is what does @USERID use to determine the currently logged in account. So that we can change the variable and then have KIX evaluate the new account name for ingroup clause.

Thanks,

Roger Fleming


Edited by rogerfleming (2005-05-18 05:37 PM)

Top
#139879 - 2005-05-18 06:00 PM Re: How to change the user defined for @USERID
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
I doubt you are going to have much luck changing @userid macro. If your program can pass a variable or you somehow have access to the username you can still pass it to your script, for example:

kix32 logon.kix $userid="person"

{edit: you mention having access to environmental variables... maybe this will work...

kix32 logon.kix $userid="%username%"
}


Edited by Allen (2005-05-18 06:02 PM)

Top
#139880 - 2005-05-18 06:40 PM Re: How to change the user defined for @USERID
maciep Offline
Korg Regular
*****

Registered: 2002-06-14
Posts: 947
Loc: Pittsburgh
Just out of curiousity, what is your single-sign-on solution? And what are you trying to accomplish exactly? We use Sentillion and I wrote and maintain the ever-changing logon script for it. And the only time we have a need to know who's in context (and the previous user who was in context) is during that logon .
Top
#139881 - 2005-05-18 07:10 PM Re: How to change the user defined for @USERID
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

We have validated the we can change the environmental variable of the USERNAME for the currently login account




Why not just use %USERNAME% in your scripts instead of the @USERID macro?

Top
#139882 - 2005-05-18 07:14 PM Re: How to change the user defined for @USERID
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Well perhaps I'm missing something here, but I see that as a big security flaw. You now have an impossible task of auditing user actions on the system. By using a "generic" logon you leave yourself open to any form of internal hacking (claims of 80% of all hacking originate internally are often quoted) and no good method to audit it since most if not all tracks will trace back to this generic account.
Top
#139883 - 2005-05-18 07:31 PM Re: How to change the user defined for @USERID
maciep Offline
Korg Regular
*****

Registered: 2002-06-14
Posts: 947
Loc: Pittsburgh
Doc, i'm assuming these shared users are nurses and doctors on a nursing unit. And at least here, those machines are locked down. And it makes sense to have a generic account since there are many many different users that will be using these machines. There's no need to fill the machine up with profiles for every user of the desktop. Plus when it comes to GPOs and standardizing machines of this type, not having a generic account is a maintenance nightmare.

Also, a lot of the users probably flow from floor to floor and possibly building to building, so it just makes sense to have an account for each area that everyone uses. If you secure your desktops correctly, audit tracking becomes much less of an issue.

Top
#139884 - 2005-05-18 07:45 PM Re: How to change the user defined for @USERID
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Yes, I can understand it. Just saying - it is a security risk that one has to determine if the risks outweigh the costs. In the given circumstances I would have to agree that the costs do outweigh the risks for the given scenario.

That given though... what does one need to run a KiX script against a specific user for? What are you trying to accomplish for each user?
 

Top
#139885 - 2005-05-18 07:56 PM Re: How to change the user defined for @USERID
maciep Offline
Korg Regular
*****

Registered: 2002-06-14
Posts: 947
Loc: Pittsburgh
The OS logs on with the generic account. Then the user logs into context (google "CCOW" for more info). Any apps that are CCOW compliant will automatically log that user in. The CCOW solution will keep track of the context (user, patient and possibly others). So if a patient's info is loaded in one app and they launch another, that patient will be loaded there as well. Which is the ultimate goal in the end run.

when the users log out of CCOW however, it does not logoff of the OS. Therefore, any non-CCOW compliant apps they had opened (ones they have to log into manually) will remain open with their credentials. My logon script closes those apps when a new user logs on.

Top
#139886 - 2005-05-18 08:06 PM Re: How to change the user defined for @USERID
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Thanks for the update Maciep. Appreciate it. Have not used such software methods yet.


http://www.hl7.org.au/CCOW.htm

http://www.orionhealth.com/concerto_technical_ccow.htm



Quote:

The HL7 CCOW (Clinical Context Object Workgroup) Standard is vendor independent and allows clinical applications to share information at the point of care.
Using a technique called "context management", CCOW provides the clinician with a unified view on the information held in separate and disparate healthcare applications referring to the same patient, encounter or user. This means that when a clinician signs onto one application within the group of disparate applications tied together by the CCOW environment, that same sign-on is simultaneously executed on all other applications within the group. Similarly, when the clinician selects a patient, the same patient is selected in all the applications. CCOW then builds a combined view of the patient on one screen.
CCOW works for both client-server and web-based applications. The acronym CCOW stands for "Clinical Context Object Workgroup", a reference to the standards committee within the HL7 group that developed the standard.




Citrix Solutions for CCOW
http://www.citrix.com/English/PS/industries/feature.asp?industryID=1412&featureID=14448
 


Edited by NTDOC (2005-05-18 08:09 PM)

Top
#139887 - 2005-05-19 12:18 AM Re: How to change the user defined for @USERID
rogerfleming Offline
Lurker

Registered: 2005-05-18
Posts: 4
Here is our script;

if ingroup("abcdef")
use E: /d
use E: \\abc123\abcde123
endif

What we want to do is provide a Global user variable to have the KIX script use in evaluating the ingroup clause. We believe it is using the @USERID Macro. What user ID does the KIX used to be applied against the "use" command?

Also this SSO solution is Etrust SSO from Computer Assocaites

Any ideas?

Thanks,

Roger Fleming

Top
#139888 - 2005-05-19 01:02 AM Re: How to change the user defined for @USERID
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
You are very close.. you need to surround your Server\Resource to be:
Code:

if ingroup("abcdef")
use E: /d
use E: "\\abc123\abcde123"
endif



HTH,

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#139889 - 2005-05-19 01:23 AM Re: How to change the user defined for @USERID
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Kent they still can't do an InGroup with that macro though.

You would probably need to use some ADSI code for group enumeration based on the userid from the environment.

Please check out the Microsoft Script Center for many examples that can easily be converted to KiXtart.

If you're unable to locate one sufficient or need assistance converting it to KiXtart let us know.

Top
#139890 - 2005-06-02 10:58 PM Re: How to change the user defined for @USERID
rogerfleming Offline
Lurker

Registered: 2005-05-18
Posts: 4
We found this method to work correctly except it loops the function after each if $group statement. Do you have any ideas to store the groups list to a table stored in memory as the script evaluates each if $group statement?

Thanks,


cls
color g+/n
? " Please Wait While Your Login Script Executes...."
color n/n
; Arlington Logon Script




Function UserGroups($target,$user,OPTIONAL $datatype)

DIM $group, $temp[2], $i
$user = getobject("WinNT://$target/$user,user")
if @error <> 0 and vartype($user) <> 9 exit(@error) endif
for each $group in $user.groups
select
case $datatype = 0 ;return the group.name
$temp[$i] = $group.name
case $datatype = 1 ;return the groupobject
$temp[$i] = $group
case $datatype = 2 ;return the group.adspath
$temp[$i] = $group.adspath
case 1
exit(1)
endselect
if $i = ubound($temp)
redim preserve $temp[$i+2]
endif
$i = $i+1
next
if $i <> 0
redim preserve $temp[$i-1]
$UserGroups = $temp
else
redim preserve $temp[$i]
$usergroups = ""
endif
exit(0)
endfunction

if $SSOUSER
$groups = UserGroups(@domain,$SSOUSER)
;for each $group in $groups ?$group next

ELSE
$groups = UserGroups(@domain,@USERID)
;for each $group in $groups ?$group next
ENDIF

for each $group IN $groups
IF $group = "Epic Hyperspace"
use x: /d
if $cgroup
use x: "\\ftwgen01\mlsreports" /user:$SSOUSER /password:$SSOPWD
ELSE
use x: \\ftwgen01\mlsreports
ENDIF
ENDIF

IF $group = "ftwgen01.mlsreportsR"
use x: /d
if $cgroup
use x: \\ftwgen01\mlsreports /user:$SSOUSER /password:$SSOPWD
ELSE
use x: \\ftwgen01\mlsreports
ENDIF
ENDIF



; REM ************************************************************************
; REM App drive F:
IF $group = "ARL"
use f: /delete
if $cgroup
use f: "\\ftwgen01\arl apps" /user:$SSOUSER /password:$SSOPWD
ELSE
use f: "\\ftwgen01\arl apps"
ENDIF
ENDIF

; REM ************************************************************************

Top
#139891 - 2005-06-04 02:37 PM Re: How to change the user defined for @USERID
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
You're missing the NEXT for the FOR EACH. Please use the [CODE] tags when posting code and properly indent code to make it easier to read.
_________________________
There are two types of vessels, submarines and targets.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 507 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.072 seconds in which 0.025 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org