Page 1 of 2 12>
Topic Options
#2085 - 2000-03-17 03:54 AM How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Hello,

I have been having problems with security restrictions on my network which consists mostly of 95/98 clients. Is there a script i can use to ensure each time a user from a certain group logs into an NT server, they will have the same desktop. I do not want them to be able to change anything.

Bear with me if i am confusing, but this will be my first attempt at using kixtart and i have exhausted all efforts in trying to resolve security issues. It seems the users are finding ways to work around the policy restrictions. So if anyone can get me started in a the right direction I would truly appreciate it. Can kixtart help me?
Thanks

Top
#2086 - 2000-03-17 02:17 PM Re: How to write a script for all users in a group to have the same desktop
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
You might be able to work out a way of using both the Policies, and KIX together to accomplish what you want?

How are your users finding ways around your policies?

Bryce

Top
#2087 - 2000-03-17 02:55 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Thanks for replying. I have several labs that are used by students. They have been able to change the desktop appearances by downloading wallpaper bitmaps from the internet and adding icons to the desktop. I am using both poledit and winshield. What can I do?
Top
#2088 - 2000-03-17 03:08 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


You might want to use mandatory Profiles instead of Policies, since they are not working.

That way it will load the Settings everytime they log on, regardless of who they are.

Top
#2089 - 2000-03-17 04:13 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Mandatory profiles would be great if they would load the .exe files. When I try to set up mandatory profiles for win 95 work-stations from a NT Server, the appearances worked but they only downloaded the .ink folders for winword, excel, powerpoint on the desktop. Maybe I didn't do something right. Do you have anymore suggestions?
Top
#2090 - 2000-03-18 11:52 AM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Hello,

After further thinking about the suggestion of the mandatory profiles i am going to test a NT installation on one of the win 95 workstations and try using roaming profiles to see if that will solve my problems. But I still want to try and use Kixtart for the lab with win 98 installed. Sounds confusing?

Top
#2091 - 2000-03-20 10:11 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
We are a school.

I don't like policies. I tested roaming, mandatory, local, & group. All are flawed in my opinion. MS designed their security for a business environment not a school. The closer you are to the one official user to one machine the better MS security works. Large numbers of users randomly accessing different machines with different capabilities is not something Ms handles well. To do well with MS security you must fit one of 2 molds - all machines are exactly the same & all potentially have access to the same software or you must be a business environment where each user has their own machine.

Locking down the desktop in a school is hard. Students are very creative. We moved to disabling policies entirely. We do all security with reg files. We restore the machine images with PCRdist.

I presume you have problems with your wallpaper, screensaver, renaming of system icons, deleting icons, etc. The only real answer is reset these things on every logon. Too many MS apps offer backdoors that circumvent your best security. You need to disable the search & Windows keys. You really must also limit the apps student can run. Too many can get to explorer or telnet or whatever.

_________________________
Jack

Top
#2092 - 2000-03-21 10:21 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
Sorry,

Just noticed - several times I said policies when I meant profiles. Just read "policies" as "policies/profiles".

_________________________
Jack

Top
#2093 - 2000-03-22 06:30 AM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Thanks JackLothian for your reply. Yes, the students are changing the wallpaper, screensavers, etc very smart. Can you tell me more about the software or strategies that you use? I am still working on a kixtart script for restrictions, too.

Thanks again.

Top
#2094 - 2000-03-22 11:19 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
This is a big question & a lot to dump on this board. Below is a start. (All our clients are Win95) There are other issues as well but I can only put so much here. You also have to lock down the msdos.sys file & force logon to an NT domain. Also you need some type of backdoor through the security (We have used HiddenOptions & Security Wizard 97 both work well. Both have passwords which most free security apps lack.) Good luck.

Here is the basic kixtart file for students.

*****************************************
;StdtPol.kix Set Screen Saver for Students
;Update History - 23/01/00 Jack Lothian
$SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee",
"Text", "Welcome to Hadley Lab")
$SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee",
"BackgroundColor", "0 0 0")
$SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee",
"TextColor", "255 0 0")
WriteValue("HKEY_USERS\.Default\Control Panel\desktop","Wallpaper","C:\WINDOWS\hadhawk.bmp","REG_SZ")
WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B42-E3F0-101B-8488-00AA003E56F8}","@","The Internet","REG_SZ")
WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","","My Computer","REG_SZ")
WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}","","Network Neighborhood","REG_SZ")
WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}","","Inbox","REG_SZ")
shell "c:\windows\security\regedit.exe /s l:\regfiles\std_restrict.reg"
shell "c:\windows\security\regedit.exe /s l:\regfiles\Progr_rst.reg"


********************************
Here is our basic student reg file.
**********************************

REGEDIT4

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoDeletePrinter"=dword:00000001
"NoAddPrinter"=dword:00000001
"NoRun"=dword:00000001
"NoFind"=dword:00000001
"NoNetHood"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoPrinterTabs"=dword:00000001
"NoSetFolders"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoDrives"=dword:03EFFFBF

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoEntireNetwork"=dword:00000001
"NoWorkgroupContents"=dword:00000001
"NoNetSetup"=dword:00000001
"NoNetSetupIDPage"=dword:00000001
"NoNetSetupSecurityPage"=dword:00000001
"DisablePwdCaching"=dword:00000001

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoSecCPL"=dword:00000001
"NoAdminPage"=dword:00000001
"NoPwdPage"=dword:00000001
"NoDispCPL"=dword:00000001
"NoDispSettingsPage"=dword:00000001
"NoDispScrSavPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoProfilePage"=dword:00000001
"NoDevMgrPage"=dword:00000001
"NoConfigPage"=dword:00000001
"NoFileSysPage"=dword:00000001
"NoVirtMemPage"=dword:00000001
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp]
"Disabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DisableF3"="C:\\Windows\\KillF3.exe"
"DisableWinKey"="C:\\Windows\\WKeyKill.exe"

****************************
Here is how you limit the apps run. Very - Very important.
***************************************

REGEDIT4

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=dword:00000001

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"0"="Secwiz97.exe"
"1"="HiddenOptions.exe"
"2"="Spook.Exe"
"3"="Pwone.exe"
"4"="Kix32.exe"
"5"="Winpopup.exe"
"6"="Winchat.exe"
"7"="RealPopup.exe"
"8"="Iexplore.exe"
"9"="Calc.exe"
"10"="Notepad.exe"
"11"="Mspaint.exe"
"12"="Wordpad.exe"
"13"="Famtreas.exe"
"14"="Treasfam.exe"
"15"="Altrtype.exe"
"16"="Vip95.exe"
"17"="Psdwin.exe"
"18"="Ccan.exe"
"19"="qpw.exe"
"20"="wpwin.exe"
"21"="wpwin61.exe"
"22"="HTML Constellation.exe"
"23"="Exchng32.exe"
"24"="Mlset32.exe"
"25"="Golf.exe"
"26"="Sol.exe"
"27"="Freecell.exe"
"28"="Mshearts.exe"
"29"="Cruel.exe"
"30"="Compte.exe"
"31"="Fingam.exe"
"32"="Rhubarb.exe"
"33"="Lifegen.exe"
"34"="Cyrus.com"
"35"="Pegged.exe"
"36"="Pipe.exe"
"37"="Rattler.exe"
"38"="Rodent.exe"
"39"="Ski.exe"
"40"="Stones.exe"
"41"="Tetris.exe"
"42"="Tic.exe"
"43"="Tp.exe"
"44"="Tripeaks.exe"
"45"="Tutstomb.exe"
"46"="Wordzap.exe"
"47"="hangman.exe"
"48"="Crib.exe"
"49"="Checkers.exe"
"50"="Logoff Computer.exe"
"51"="Reboot.exe"
"52"="PWShut.exe"
"53"="PCRdist.exe"
"54"="Pcrdist.exe"
"55"="Explorer.exe"
"56"="MkReg1.bat"
"57"="RegComp.bat"
"58"="StartUp.exe"
"59"="Cleaner.exe"
"60"="Clnsys.exe"
"61"="more.exe"
"62"="quickclean.exe"
"63"="QuickTray.exe"
"64"="RegDump.exe"
"65"="RegClean.exe"
"66"="TempClean.exe"
"67"="Winzip32.exe"

_________________________
Jack

Top
#2095 - 2000-03-23 10:37 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Hello Lothian,

I am also working in a school and I face the same problems not only the student.

I found your script work great but I have not yet implement on my system.
You have remind Cariley to force Logon to Domain and lock down msdos.sys, how can we do that, if the user click cancel at login screen (sure in Win9x), then they will still bypass the login script.

Thanks for your attention.

Gilbert Ng


Top
#2096 - 2000-03-24 09:48 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
We build logging in to the domain into our basic image so we don't apply an edit for it, but here is the edit.

********************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]
"MustBeValidated"=dword:00000001
"NoDomainPwdCaching"=dword:00000001
*************************************

If a domain controller is not available, the lock down will not work. Thus if a student pulls out the LAN cable they can still get to the desktop by hitting "ESC". We get around this by applying very tight restrictions that are applied through the autoxec.bat file. Thus they need to logon to open the system up. You should also note we color code our desktops so we can spot students doing this type of activity. You should also note there is a some write ups in Technet about the 2 above edits conflicting & being unstable when used in combination if you don't have all the lates "DLLs". We don't have a problem but you might.

As to the MSDOS file you need to disable the bootup menu & the function keys during bootup. If you also disable booting from a floppy in the BIOS, it is very hard for a student to break in during bootup. Go to the NONAGS site to get a freeware package to edit the MSDOS.SYS file.

As a point of interest, Windows 95 ships with all security disabled while NT ships with most security enabled. When you enable all of Windows 95 security options, the difference between Windows 95 & NT security is not significant in the context of a school environment.

Hope you find that helpful.

Jack Lothian
for Hadley Junior High School,
Hull, Québec, Canada

_________________________
Jack

Top
#2097 - 2000-04-02 12:28 AM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


This is in reference to the Kixscript from JackLothian. Will this script work with NT workstations, too? And is this the complete script that you use for restricting your user? Is it all combined as one executable script. I hope you understand what I am trying to ask I am just getting started with using kixtart. Thanks for all your thus far.
Please reply as soon as you can, thanks again.

Top
#2098 - 2000-04-03 10:52 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
In theory all these scripts can be adapted to NT workstation but I doubt they will work as is with NT workstation. The registry in Win95/98 and NT are very simular but just different enough to force you to write specific scripts for each type of station.

I think you would have to write an NT variant & use kixtart to detect the type of OS & call the script accordingly. (Our kixtart scripts use to have 2 versions Win3.11 & Win95 but we just eliminated Win3.11 a few months asgo.)

Personally, I think NT Workstation in a school is not a good idea. No matter how hard you try students or wear & tear brings your systems down. Systems in schools take much more abuse than in an office or home environment. We find that keeping a school lab running takes a lot of hands on maintainance.

Our experience with NT is that while it is rock-solid when running it is bitch to repair or rebuild. Usually a complete wipe & rebuild is necessary where Win95 can be fixed with a DOS boot disk & a few CDs of drivers. In our schools GPFs are not really much of an issue but failing hardware & corrupted files are an every day issue. I think Win95/98 is more robust than NT when it comes to repairing a damaged system.

A further point is NT (& more so Win2000) requires significant more RAM & HD space than Win95/98. Typically you have to pay $200 to $300 more in hardware to run NT.

All those great "efficiencies" that MS boasts in NT are not really very helpful in a school and it is my personal opinion that Win95/98 has a lower "total cost of ownership" in a school.

Of course, in an office environment NT workstation shines.

_________________________
Jack

Top
#2099 - 2000-04-03 10:03 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Thanks for your opinion about NT in a school environment. But this is my last resort turning to NT OS. We have to visit our labs now constantly with problems relating to our win 95 workstations. Right now I must deal with this security issue to try and lock down these workstations to the best of my knowledge with the help of others. I am going to try kixtart with the NT workstation and i know that you have given my fair warning. Does anyone wants to take a chance in getting me started?
Top
#2100 - 2000-04-04 08:01 AM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Hello All,

First, I recommend Symantec's Ghost instead of re-installing. If you make an image of each computer variation you have, when a problem arises on that computer, you just re-image it. It is quite fast and certainly much easier than going through a total re-install.

Second, here is a segment of script that you may use to differentiate between a Win9x workstation and a WinNT workstation:

code:

;****************************************************************************************
:OSTYPE
; Description:
; This subroutine will determine if the user if logging in from Win9x or Windows NT.
; If the user is logging in from NT, it will also determine if the NT computer is a
; workstation or a server. With a few edits, it could also determine the difference
; between just a server and a domain controller. Also with just a few edits, it could
; determine the difference between Win95 and Win98. These haven't been implemented at
; this time because I did not see a need at this site for such granularity. The
; sserver array is used to hold the names of those workstations that have NT Server
; installed on them (used by developers). I still want to treat them as workstations.
;
; Input:
; $HKLM_S, $sys
;
; Output:
; $server (returns 0 for Win9x, 1 for NT), $WinDir (returns base windows directory),
; $OS (returns "Windows NT" or "Win9x"), $comd (dos command program)
;****************************************************************************************
; Modification History
; Date Initials Description
; 10 Aug 99 bvv Wrote first cut.
;****************************************************************************************
;
Global $server, $OS, $comd, $WinDir
Dim $key, $WksType, $returncode, $loop_count
;
$server=0
? "Determining the OS type and setting the command variable."
If @INWIN=1 ; INWIN returns a 1 if being run from Windows NT
$key=$HKLM_S+"\Microsoft\Windows NT\CurrentVersion"
$WinDir=ReadValue($key,"SystemRoot")
$OS="Windows NT"
; If logging in from Windows NT, check to see if you are on a Server or a
; Workstation. The key:
; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType
; has the following three possible values:
; WinNT if on a workstation
; ServerNT if on a server
; LanmanNT if on a domain controller (primary or backup)
; Right now, we are only concerned if the computer is a server. So,
$key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions"
$WksType=ReadValue($key,"ProductType")
$returncode=@ERROR
If $returncode>0
? "There was an error reading: "+$key+"\ProductType"
? "The error number is: "+$returncode
Else
If (($WksType = "LanmanNT") or ($WksType = "ServerNT"))
$server=1
Endif
Endif
$comd="$sys\cmd.exe /c "
Else
$key=$HKLM_S+"\Microsoft\Windows\CurrentVersion\Setup"
$WinDir=ReadValue($key,"WinDir")
; Will set the OS variable to Win9x. If necessary to check for difference between
; Win95 and Win98 later, @DOS will report 4.0 for Win95 and 4.1 for Win98
$OS="Win9x"
$comd="$WinDir\command.com /c "
Endif
? "This system is: "+$OS+" and the current windows directory is: "+$WinDir
Return
;

Hope this helps.

------------------
Regards,

Brad
Consultant
Net InfraStructure, Inc

Top
#2101 - 2000-04-04 10:35 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
We use ghost to build our primary images & PCRDist to maintain them. Without them building & maintaining our labs & library would be impossible.

Unfortunately, if you have a mixture of diverse hardware & software (our library & labs have very different equipment & software & our classroom have older 486s) plus lots of users who can potential logon anywhere none of these automation techniques are really ideal. Plus potentially like us you might want to offer different desktops & software to different grade levels & teachers.

We spent 2 years looking for the "magic solution" and found nothing we could even come close to affording. One way or another we realized, lots of hand crafting was inevitable.

_________________________
Jack

Top
#2102 - 2000-04-05 03:37 AM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Further to Jack Lothians replies....

I noticed that the program "Logoff Computer.exe" is listed in your allowed programs. Can you tell me more about it. I've started a new thread "Stopping multiple logon" which this might help me with!

Thanks

Top
#2103 - 2000-04-07 07:24 PM Re: How to write a script for all users in a group to have the same desktop
Anonymous
Unregistered


Thanks to everyone for your feedback and the advice on symantec Ghost. Right now i have been toiling for 3 weeks trying to get this security just right. It is a college and the semester is about up so you know i am rush rush. I put some of the workstation back and guess what one of the desktop wallpaper was changed. I am using regedit for restriction and still trying to implement the kix script. What went wrong in the wallpaper. I used NoChangingWallpaper in HKEY_CURRENT_USER SOFTWARE/MICROSOFT/WINDOWS/POLICIES/EXPLORER
This is happening when the students go to the internet and set pictures as wallpaper.
Help me please.

Top
#2104 - 2000-04-10 09:29 AM Re: How to write a script for all users in a group to have the same desktop
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
Several MS apps circumvent system policies & allows students to change the wallpaper. Depending on what you are trying to lock down, MS apps can be a big back door through your security.

The only sure fired method I know to handle this is to reset the wallpaper on each logon.

_________________________
Jack

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.069 seconds in which 0.024 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org