#2085 - 2000-03-17 03:54 AM
How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Hello,I have been having problems with security restrictions on my network which consists mostly of 95/98 clients. Is there a script i can use to ensure each time a user from a certain group logs into an NT server, they will have the same desktop. I do not want them to be able to change anything. Bear with me if i am confusing, but this will be my first attempt at using kixtart and i have exhausted all efforts in trying to resolve security issues. It seems the users are finding ways to work around the policy restrictions. So if anyone can get me started in a the right direction I would truly appreciate it. Can kixtart help me? Thanks
|
Top
|
|
|
|
#2087 - 2000-03-17 02:55 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Thanks for replying. I have several labs that are used by students. They have been able to change the desktop appearances by downloading wallpaper bitmaps from the internet and adding icons to the desktop. I am using both poledit and winshield. What can I do?
|
Top
|
|
|
|
#2088 - 2000-03-17 03:08 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
You might want to use mandatory Profiles instead of Policies, since they are not working.That way it will load the Settings everytime they log on, regardless of who they are.
|
Top
|
|
|
|
#2089 - 2000-03-17 04:13 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Mandatory profiles would be great if they would load the .exe files. When I try to set up mandatory profiles for win 95 work-stations from a NT Server, the appearances worked but they only downloaded the .ink folders for winword, excel, powerpoint on the desktop. Maybe I didn't do something right. Do you have anymore suggestions?
|
Top
|
|
|
|
#2090 - 2000-03-18 11:52 AM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Hello,After further thinking about the suggestion of the mandatory profiles i am going to test a NT installation on one of the win 95 workstations and try using roaming profiles to see if that will solve my problems. But I still want to try and use Kixtart for the lab with win 98 installed. Sounds confusing?
|
Top
|
|
|
|
#2093 - 2000-03-22 06:30 AM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Thanks JackLothian for your reply. Yes, the students are changing the wallpaper, screensavers, etc very smart. Can you tell me more about the software or strategies that you use? I am still working on a kixtart script for restrictions, too.Thanks again.
|
Top
|
|
|
|
#2094 - 2000-03-22 11:19 AM
Re: How to write a script for all users in a group to have the same desktop
|
Jack Lothian
MM club member
Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
|
This is a big question & a lot to dump on this board. Below is a start. (All our clients are Win95) There are other issues as well but I can only put so much here. You also have to lock down the msdos.sys file & force logon to an NT domain. Also you need some type of backdoor through the security (We have used HiddenOptions & Security Wizard 97 both work well. Both have passwords which most free security apps lack.) Good luck.Here is the basic kixtart file for students. ***************************************** ;StdtPol.kix Set Screen Saver for Students ;Update History - 23/01/00 Jack Lothian $SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee", "Text", "Welcome to Hadley Lab") $SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee", "BackgroundColor", "0 0 0") $SS1 = WriteProfileString("c:\Windows\control.ini", "Screen Saver.Marquee", "TextColor", "255 0 0") WriteValue("HKEY_USERS\.Default\Control Panel\desktop","Wallpaper","C:\WINDOWS\hadhawk.bmp","REG_SZ") WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B42-E3F0-101B-8488-00AA003E56F8}","@","The Internet","REG_SZ") WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","","My Computer","REG_SZ") WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}","","Network Neighborhood","REG_SZ") WriteValue("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}","","Inbox","REG_SZ") shell "c:\windows\security\regedit.exe /s l:\regfiles\std_restrict.reg" shell "c:\windows\security\regedit.exe /s l:\regfiles\Progr_rst.reg" ******************************** Here is our basic student reg file. **********************************
REGEDIT4 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "ClearRecentDocsOnExit"=dword:00000001 "NoSaveSettings"=dword:00000001 "NoDeletePrinter"=dword:00000001 "NoAddPrinter"=dword:00000001 "NoRun"=dword:00000001 "NoFind"=dword:00000001 "NoNetHood"=dword:00000001 "NoSaveSettings"=dword:00000001 "NoPrinterTabs"=dword:00000001 "NoSetFolders"=dword:00000001 "NoSetTaskbar"=dword:00000001 "NoDrives"=dword:03EFFFBF [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Network] "NoEntireNetwork"=dword:00000001 "NoWorkgroupContents"=dword:00000001 "NoNetSetup"=dword:00000001 "NoNetSetupIDPage"=dword:00000001 "NoNetSetupSecurityPage"=dword:00000001 "DisablePwdCaching"=dword:00000001 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoSecCPL"=dword:00000001 "NoAdminPage"=dword:00000001 "NoPwdPage"=dword:00000001 "NoDispCPL"=dword:00000001 "NoDispSettingsPage"=dword:00000001 "NoDispScrSavPage"=dword:00000001 "NoDispAppearancePage"=dword:00000001 "NoDispBackgroundPage"=dword:00000001 "NoProfilePage"=dword:00000001 "NoDevMgrPage"=dword:00000001 "NoConfigPage"=dword:00000001 "NoFileSysPage"=dword:00000001 "NoVirtMemPage"=dword:00000001 "DisableRegistryTools"=dword:00000001 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp] "Disabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DisableF3"="C:\\Windows\\KillF3.exe" "DisableWinKey"="C:\\Windows\\WKeyKill.exe" **************************** Here is how you limit the apps run. Very - Very important. *************************************** REGEDIT4 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "RestrictRun"=dword:00000001 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun] "0"="Secwiz97.exe" "1"="HiddenOptions.exe" "2"="Spook.Exe" "3"="Pwone.exe" "4"="Kix32.exe" "5"="Winpopup.exe" "6"="Winchat.exe" "7"="RealPopup.exe" "8"="Iexplore.exe" "9"="Calc.exe" "10"="Notepad.exe" "11"="Mspaint.exe" "12"="Wordpad.exe" "13"="Famtreas.exe" "14"="Treasfam.exe" "15"="Altrtype.exe" "16"="Vip95.exe" "17"="Psdwin.exe" "18"="Ccan.exe" "19"="qpw.exe" "20"="wpwin.exe" "21"="wpwin61.exe" "22"="HTML Constellation.exe" "23"="Exchng32.exe" "24"="Mlset32.exe" "25"="Golf.exe" "26"="Sol.exe" "27"="Freecell.exe" "28"="Mshearts.exe" "29"="Cruel.exe" "30"="Compte.exe" "31"="Fingam.exe" "32"="Rhubarb.exe" "33"="Lifegen.exe" "34"="Cyrus.com" "35"="Pegged.exe" "36"="Pipe.exe" "37"="Rattler.exe" "38"="Rodent.exe" "39"="Ski.exe" "40"="Stones.exe" "41"="Tetris.exe" "42"="Tic.exe" "43"="Tp.exe" "44"="Tripeaks.exe" "45"="Tutstomb.exe" "46"="Wordzap.exe" "47"="hangman.exe" "48"="Crib.exe" "49"="Checkers.exe" "50"="Logoff Computer.exe" "51"="Reboot.exe" "52"="PWShut.exe" "53"="PCRdist.exe" "54"="Pcrdist.exe" "55"="Explorer.exe" "56"="MkReg1.bat" "57"="RegComp.bat" "58"="StartUp.exe" "59"="Cleaner.exe" "60"="Clnsys.exe" "61"="more.exe" "62"="quickclean.exe" "63"="QuickTray.exe" "64"="RegDump.exe" "65"="RegClean.exe" "66"="TempClean.exe" "67"="Winzip32.exe"
_________________________
Jack
|
Top
|
|
|
|
#2095 - 2000-03-23 10:37 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Hello Lothian,I am also working in a school and I face the same problems not only the student. I found your script work great but I have not yet implement on my system. You have remind Cariley to force Logon to Domain and lock down msdos.sys, how can we do that, if the user click cancel at login screen (sure in Win9x), then they will still bypass the login script. Thanks for your attention. Gilbert Ng
|
Top
|
|
|
|
#2096 - 2000-03-24 09:48 AM
Re: How to write a script for all users in a group to have the same desktop
|
Jack Lothian
MM club member
Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
|
We build logging in to the domain into our basic image so we don't apply an edit for it, but here is the edit.******************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Network\Logon] "MustBeValidated"=dword:00000001 "NoDomainPwdCaching"=dword:00000001 ************************************* If a domain controller is not available, the lock down will not work. Thus if a student pulls out the LAN cable they can still get to the desktop by hitting "ESC". We get around this by applying very tight restrictions that are applied through the autoxec.bat file. Thus they need to logon to open the system up. You should also note we color code our desktops so we can spot students doing this type of activity. You should also note there is a some write ups in Technet about the 2 above edits conflicting & being unstable when used in combination if you don't have all the lates "DLLs". We don't have a problem but you might. As to the MSDOS file you need to disable the bootup menu & the function keys during bootup. If you also disable booting from a floppy in the BIOS, it is very hard for a student to break in during bootup. Go to the NONAGS site to get a freeware package to edit the MSDOS.SYS file. As a point of interest, Windows 95 ships with all security disabled while NT ships with most security enabled. When you enable all of Windows 95 security options, the difference between Windows 95 & NT security is not significant in the context of a school environment. Hope you find that helpful. Jack Lothian for Hadley Junior High School, Hull, Québec, Canada
_________________________
Jack
|
Top
|
|
|
|
#2097 - 2000-04-02 12:28 AM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
This is in reference to the Kixscript from JackLothian. Will this script work with NT workstations, too? And is this the complete script that you use for restricting your user? Is it all combined as one executable script. I hope you understand what I am trying to ask I am just getting started with using kixtart. Thanks for all your thus far. Please reply as soon as you can, thanks again.
|
Top
|
|
|
|
#2098 - 2000-04-03 10:52 AM
Re: How to write a script for all users in a group to have the same desktop
|
Jack Lothian
MM club member
Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
|
In theory all these scripts can be adapted to NT workstation but I doubt they will work as is with NT workstation. The registry in Win95/98 and NT are very simular but just different enough to force you to write specific scripts for each type of station.I think you would have to write an NT variant & use kixtart to detect the type of OS & call the script accordingly. (Our kixtart scripts use to have 2 versions Win3.11 & Win95 but we just eliminated Win3.11 a few months asgo.) Personally, I think NT Workstation in a school is not a good idea. No matter how hard you try students or wear & tear brings your systems down. Systems in schools take much more abuse than in an office or home environment. We find that keeping a school lab running takes a lot of hands on maintainance. Our experience with NT is that while it is rock-solid when running it is bitch to repair or rebuild. Usually a complete wipe & rebuild is necessary where Win95 can be fixed with a DOS boot disk & a few CDs of drivers. In our schools GPFs are not really much of an issue but failing hardware & corrupted files are an every day issue. I think Win95/98 is more robust than NT when it comes to repairing a damaged system. A further point is NT (& more so Win2000) requires significant more RAM & HD space than Win95/98. Typically you have to pay $200 to $300 more in hardware to run NT. All those great "efficiencies" that MS boasts in NT are not really very helpful in a school and it is my personal opinion that Win95/98 has a lower "total cost of ownership" in a school. Of course, in an office environment NT workstation shines.
_________________________
Jack
|
Top
|
|
|
|
#2099 - 2000-04-03 10:03 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Thanks for your opinion about NT in a school environment. But this is my last resort turning to NT OS. We have to visit our labs now constantly with problems relating to our win 95 workstations. Right now I must deal with this security issue to try and lock down these workstations to the best of my knowledge with the help of others. I am going to try kixtart with the NT workstation and i know that you have given my fair warning. Does anyone wants to take a chance in getting me started?
|
Top
|
|
|
|
#2100 - 2000-04-04 08:01 AM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Hello All,First, I recommend Symantec's Ghost instead of re-installing. If you make an image of each computer variation you have, when a problem arises on that computer, you just re-image it. It is quite fast and certainly much easier than going through a total re-install. Second, here is a segment of script that you may use to differentiate between a Win9x workstation and a WinNT workstation: code:
;**************************************************************************************** :OSTYPE ; Description: ; This subroutine will determine if the user if logging in from Win9x or Windows NT. ; If the user is logging in from NT, it will also determine if the NT computer is a ; workstation or a server. With a few edits, it could also determine the difference ; between just a server and a domain controller. Also with just a few edits, it could ; determine the difference between Win95 and Win98. These haven't been implemented at ; this time because I did not see a need at this site for such granularity. The ; sserver array is used to hold the names of those workstations that have NT Server ; installed on them (used by developers). I still want to treat them as workstations. ; ; Input: ; $HKLM_S, $sys ; ; Output: ; $server (returns 0 for Win9x, 1 for NT), $WinDir (returns base windows directory), ; $OS (returns "Windows NT" or "Win9x"), $comd (dos command program) ;**************************************************************************************** ; Modification History ; Date Initials Description ; 10 Aug 99 bvv Wrote first cut. ;**************************************************************************************** ; Global $server, $OS, $comd, $WinDir Dim $key, $WksType, $returncode, $loop_count ; $server=0 ? "Determining the OS type and setting the command variable." If @INWIN=1 ; INWIN returns a 1 if being run from Windows NT $key=$HKLM_S+"\Microsoft\Windows NT\CurrentVersion" $WinDir=ReadValue($key,"SystemRoot") $OS="Windows NT" ; If logging in from Windows NT, check to see if you are on a Server or a ; Workstation. The key: ; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType ; has the following three possible values: ; WinNT if on a workstation ; ServerNT if on a server ; LanmanNT if on a domain controller (primary or backup) ; Right now, we are only concerned if the computer is a server. So, $key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions" $WksType=ReadValue($key,"ProductType") $returncode=@ERROR If $returncode>0 ? "There was an error reading: "+$key+"\ProductType" ? "The error number is: "+$returncode Else If (($WksType = "LanmanNT") or ($WksType = "ServerNT")) $server=1 Endif Endif $comd="$sys\cmd.exe /c " Else $key=$HKLM_S+"\Microsoft\Windows\CurrentVersion\Setup" $WinDir=ReadValue($key,"WinDir") ; Will set the OS variable to Win9x. If necessary to check for difference between ; Win95 and Win98 later, @DOS will report 4.0 for Win95 and 4.1 for Win98 $OS="Win9x" $comd="$WinDir\command.com /c " Endif ? "This system is: "+$OS+" and the current windows directory is: "+$WinDir Return ;
Hope this helps. ------------------ Regards, Brad Consultant Net InfraStructure, Inc
|
Top
|
|
|
|
#2102 - 2000-04-05 03:37 AM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Further to Jack Lothians replies....I noticed that the program "Logoff Computer.exe" is listed in your allowed programs. Can you tell me more about it. I've started a new thread "Stopping multiple logon" which this might help me with! Thanks
|
Top
|
|
|
|
#2103 - 2000-04-07 07:24 PM
Re: How to write a script for all users in a group to have the same desktop
|
Anonymous
Anonymous
Unregistered
|
Thanks to everyone for your feedback and the advice on symantec Ghost. Right now i have been toiling for 3 weeks trying to get this security just right. It is a college and the semester is about up so you know i am rush rush. I put some of the workstation back and guess what one of the desktop wallpaper was changed. I am using regedit for restriction and still trying to implement the kix script. What went wrong in the wallpaper. I used NoChangingWallpaper in HKEY_CURRENT_USER SOFTWARE/MICROSOFT/WINDOWS/POLICIES/EXPLORER This is happening when the students go to the internet and set pictures as wallpaper. Help me please.
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 84 anonymous users online.
|
|
|