How to force a logoff in a logon script?

I would like to create a domain logon script, that would run on Windows
XP computers, that would test for certain group memberships. If the
tests failed I would like to not allow the user to login into that
particular computer. My question is how do I abort the logon process in
a logon script? I would like to use either a .bat or .vbs file. Thank
you.

You can use the builtin shutdown command to force logoff:

shutdown -l -f


Check the help for shutdown :

shutdown /?


-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> I would like to create a domain logon script, that would run on
> Windows XP computers, that would test for certain group memberships.
> If the tests failed I would like to not allow the user to login into
> that particular computer. My question is how do I abort the logon
> process in a logon script? I would like to use either a .bat or .vbs
> file. Thank you.
>

That will certainly cause the XP system to shutdown when someone attempts to
logon there that you want to keep out. But it will not prevent them from
logging on, as the logon script runs *after* they logon. If they were to
cancel it before it got to the shutdown command, then the shutdown command
would not run. And having to test some group memberships would likely mean
that the time window in which they could do this would not be so short as to
make it impossible.

But, even if they could not get in that way, once they have successfully
logged in, they might be able to unplug the network cable, log in with
cached credentials, and then reconnect to the network.

IMHO, the only reliable way to accomplish what you want is to restrict the
right to logon in the first place.

/Al

"Shay Levi" <no@addre.ss> wrote in message
news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>
> You can use the builtin shutdown command to force logoff:
>
> shutdown -l -f
>
>
> Check the help for shutdown :
>
> shutdown /?
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>> I would like to create a domain logon script, that would run on
>> Windows XP computers, that would test for certain group memberships.
>> If the tests failed I would like to not allow the user to login into
>> that particular computer. My question is how do I abort the logon
>> process in a logon script? I would like to use either a .bat or .vbs
>> file. Thank you.
>>
>
>

True. OK,plan B.

I did a project once, the requirements were to display a user aggrement message
(gui form with OK/Cancel buttons) once users have entered
their hey network credentials. If the user don't accept the aggrement then
the user must be logged off.

The trick was to replace explorer.exe with my aggrement exe file (sor of
application in the middle). if the user accepts the aggreement then
I launched explorer.exe otherwise I logged him off.

I'm not sure if user logon scripts will fire at that stage but cached credentials
certainly won't be an issue.
Anyway, it's worth trying.



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> That will certainly cause the XP system to shutdown when someone
> attempts to logon there that you want to keep out. But it will not
> prevent them from logging on, as the logon script runs *after* they
> logon. If they were to cancel it before it got to the shutdown
> command, then the shutdown command would not run. And having to test
> some group memberships would likely mean that the time window in which
> they could do this would not be so short as to make it impossible.
>
> But, even if they could not get in that way, once they have
> successfully logged in, they might be able to unplug the network
> cable, log in with cached credentials, and then reconnect to the
> network.
>
> IMHO, the only reliable way to accomplish what you want is to restrict
> the right to logon in the first place.
>
> /Al
>
> "Shay Levi" <no@addre.ss> wrote in message
> news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>
>> You can use the builtin shutdown command to force logoff:
>>
>> shutdown -l -f
>>
>> Check the help for shutdown :
>>
>> shutdown /?
>>
>> -----
>> Shay Levi
>> $cript Fanatic
>> http://scriptolog.blogspot.com
>>> I would like to create a domain logon script, that would run on
>>> Windows XP computers, that would test for certain group memberships.
>>> If the tests failed I would like to not allow the user to login into
>>> that particular computer. My question is how do I abort the logon
>>> process in a logon script? I would like to use either a .bat or .vbs
>>> file. Thank you.
>>>

That certainly seems an interesting approach, however, I wonder what
anomalies might result from renaming a standard windows component. Do your
users ever call to ask why the user agreement pops up when they try to run
explorer from a command prompt window?

It seems to me (and others that have commented on the apparent need to do
this as expressed in various similar threads) that this is not necessary,
and possibly counter-productive, as windows basically does this for you,
i.e.:

- user enters ctrl-alt-del
- typical message pops up stating that only authorized users are allowed to
logon.

at this point, one of three things happen:

- the authorized user logs on
- the unauthorized user cancels the logon dialog and goes away
- the unauthorized user logs on (if he can)

In your scenario:

- user enters ctrl-alt-del
- some sort of message might popup, I don't know what you do here, and user
hits "OK" button.
- user logs on
- your agreement.exe pops up and asks whatever it asks

at this point, one of three things happen:

- the authorized user presses "OK", his logon completes, and he starts
working.
- the unauthorized user presses "Cancel", is logged off, and he goes away.
- the unauthorized user presses "OK", his logon completes, and he does
whatever he does.

In neither scenario (yours or the default windows setting) is unauthorized
use actually prevented, as that would only result from an honest
unauthorized user.

now supposing the owner of the network takes someone to court, charging
unauthorized use. In the windows scenario, the judge asks if the person saw
or read the message - if he can be believed when he says no, and gets off,
then no trespassing signs everywhere will be replaced by machine gun
emplacements, as it will be shown that warning signs have no legal standing.

so the guy says he read the sign saying he was not allowed to use the
system, but complains that there was no cancel button, only an OK button.
the judge points out that, knowing he was not supposed to logon, he should
have realized that he was meant to cancel the logon dialog.

In your scenario, the judge asks the same questions. Since the guy clearly
logged on, the judge asks why he hit the "OK" button instead of "Cancel".
the guy replies that he did hit cancel, but was not logged off, so he
continued using the system, as he was only required to respond to the
dialog, which he did.

Then the judge turns to you and asks for proof that you program could never
ever fail to do what you say it is supposed to do. Since everybody knows
that software is not perfect, the guy gets off because it is a case of his
word against that of your software.

in his decision, the judge explains that, in order to protect your network,
you only need to ensure that the rules are known. If your warning sign
interacts with the user as you describe, he might get the idea that your
policy requires his agreement in order to be valid, that it is, in a way, an
optional thing.


/Al

"Shay Levi" <no@addre.ss> wrote in message
news:8766a944258688ca5f55b1c222c8@news.microsoft.com...
>
> True. OK,plan B.
>
> I did a project once, the requirements were to display a user aggrement
> message (gui form with OK/Cancel buttons) once users have entered their
> hey network credentials. If the user don't accept the aggrement then the
> user must be logged off.
>
> The trick was to replace explorer.exe with my aggrement exe file (sor of
> application in the middle). if the user accepts the aggreement then I
> launched explorer.exe otherwise I logged him off.
>
> I'm not sure if user logon scripts will fire at that stage but cached
> credentials certainly won't be an issue.
> Anyway, it's worth trying.
>
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>> That will certainly cause the XP system to shutdown when someone
>> attempts to logon there that you want to keep out. But it will not
>> prevent them from logging on, as the logon script runs *after* they
>> logon. If they were to cancel it before it got to the shutdown
>> command, then the shutdown command would not run. And having to test
>> some group memberships would likely mean that the time window in which
>> they could do this would not be so short as to make it impossible.
>>
>> But, even if they could not get in that way, once they have
>> successfully logged in, they might be able to unplug the network
>> cable, log in with cached credentials, and then reconnect to the
>> network.
>>
>> IMHO, the only reliable way to accomplish what you want is to restrict
>> the right to logon in the first place.
>>
>> /Al
>>
>> "Shay Levi" <no@addre.ss> wrote in message
>> news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>>
>>> You can use the builtin shutdown command to force logoff:
>>>
>>> shutdown -l -f
>>>
>>> Check the help for shutdown :
>>>
>>> shutdown /?
>>>
>>> -----
>>> Shay Levi
>>> $cript Fanatic
>>> http://scriptolog.blogspot.com
>>>> I would like to create a domain logon script, that would run on
>>>> Windows XP computers, that would test for certain group memberships.
>>>> If the tests failed I would like to not allow the user to login into
>>>> that particular computer. My question is how do I abort the logon
>>>> process in a logon script? I would like to use either a .bat or .vbs
>>>> file. Thank you.
>>>>
>
>

Hi Al,


I didn't rename explorer.exe nor changed it in any way. Windows has a registry
key that governs which UI (explorer) will be presented
to the user, you can get a list of such applications here:

http://en.wikipedia.org/wiki/Desktop_shell_replacement


Anyway, it is similar to terminal services where you can replace the shell
to a terminal user. The registry key, "shell", can be found under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Similar key is available in the Current User Hive.


The aggreement application was also writing to a database so "proof" can
be polled out anytime.
My requirments was not to disallow users from logging in, it was to verify
that they know what they are doing an to write it to a database.
There isn't one way to achieve it, it realy depends on your needs and requiremnts.

As for the built-in custom popup message. It lacks design, colors, new lines
etc.

Finally, to clarify how did I do it:

1. You write a custom exe file (gui form, it can also have no gui) that implement
your checks (group membership etc).
2. Put it in system32 directory.
3. Update the above regkey with tha name of the new exe file.
4. When a user logs in, he's presented with your form.
If he passes all requirments then you manually execute explorer.exe otherwise
you log him off



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> That certainly seems an interesting approach, however, I wonder what
> anomalies might result from renaming a standard windows component. Do
> your users ever call to ask why the user agreement pops up when they
> try to run explorer from a command prompt window?
>
> It seems to me (and others that have commented on the apparent need to
> do this as expressed in various similar threads) that this is not
> necessary, and possibly counter-productive, as windows basically does
> this for you, i.e.:
>
> - user enters ctrl-alt-del
> - typical message pops up stating that only authorized users are
> allowed to
> logon.
> at this point, one of three things happen:
>
> - the authorized user logs on
> - the unauthorized user cancels the logon dialog and goes away
> - the unauthorized user logs on (if he can)
> In your scenario:
>
> - user enters ctrl-alt-del
> - some sort of message might popup, I don't know what you do here, and
> user
> hits "OK" button.
> - user logs on
> - your agreement.exe pops up and asks whatever it asks
> at this point, one of three things happen:
>
> - the authorized user presses "OK", his logon completes, and he starts
> working.
> - the unauthorized user presses "Cancel", is logged off, and he goes
> away.
> - the unauthorized user presses "OK", his logon completes, and he does
> whatever he does.
> In neither scenario (yours or the default windows setting) is
> unauthorized use actually prevented, as that would only result from an
> honest unauthorized user.
>
> now supposing the owner of the network takes someone to court,
> charging unauthorized use. In the windows scenario, the judge asks if
> the person saw or read the message - if he can be believed when he
> says no, and gets off, then no trespassing signs everywhere will be
> replaced by machine gun emplacements, as it will be shown that warning
> signs have no legal standing.
>
> so the guy says he read the sign saying he was not allowed to use the
> system, but complains that there was no cancel button, only an OK
> button. the judge points out that, knowing he was not supposed to
> logon, he should have realized that he was meant to cancel the logon
> dialog.
>
> In your scenario, the judge asks the same questions. Since the guy
> clearly logged on, the judge asks why he hit the "OK" button instead
> of "Cancel". the guy replies that he did hit cancel, but was not
> logged off, so he continued using the system, as he was only required
> to respond to the dialog, which he did.
>
> Then the judge turns to you and asks for proof that you program could
> never ever fail to do what you say it is supposed to do. Since
> everybody knows that software is not perfect, the guy gets off because
> it is a case of his word against that of your software.
>
> in his decision, the judge explains that, in order to protect your
> network, you only need to ensure that the rules are known. If your
> warning sign interacts with the user as you describe, he might get the
> idea that your policy requires his agreement in order to be valid,
> that it is, in a way, an optional thing.
>
> /Al
>
> "Shay Levi" <no@addre.ss> wrote in message
> news:8766a944258688ca5f55b1c222c8@news.microsoft.com...
>
>> True. OK,plan B.
>>
>> I did a project once, the requirements were to display a user
>> aggrement message (gui form with OK/Cancel buttons) once users have
>> entered their hey network credentials. If the user don't accept the
>> aggrement then the user must be logged off.
>>
>> The trick was to replace explorer.exe with my aggrement exe file (sor
>> of application in the middle). if the user accepts the aggreement
>> then I launched explorer.exe otherwise I logged him off.
>>
>> I'm not sure if user logon scripts will fire at that stage but cached
>> credentials certainly won't be an issue.
>> Anyway, it's worth trying.
>> -----
>> Shay Levi
>> $cript Fanatic
>> http://scriptolog.blogspot.com
>>> That will certainly cause the XP system to shutdown when someone
>>> attempts to logon there that you want to keep out. But it will not
>>> prevent them from logging on, as the logon script runs *after* they
>>> logon. If they were to cancel it before it got to the shutdown
>>> command, then the shutdown command would not run. And having to test
>>> some group memberships would likely mean that the time window in
>>> which they could do this would not be so short as to make it
>>> impossible.
>>>
>>> But, even if they could not get in that way, once they have
>>> successfully logged in, they might be able to unplug the network
>>> cable, log in with cached credentials, and then reconnect to the
>>> network.
>>>
>>> IMHO, the only reliable way to accomplish what you want is to
>>> restrict the right to logon in the first place.
>>>
>>> /Al
>>>
>>> "Shay Levi" <no@addre.ss> wrote in message
>>> news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>>>> You can use the builtin shutdown command to force logoff:
>>>>
>>>> shutdown -l -f
>>>>
>>>> Check the help for shutdown :
>>>>
>>>> shutdown /?
>>>>
>>>> -----
>>>> Shay Levi
>>>> $cript Fanatic
>>>> http://scriptolog.blogspot.com
>>>>> I would like to create a domain logon script, that would run on
>>>>> Windows XP computers, that would test for certain group
>>>>> memberships. If the tests failed I would like to not allow the
>>>>> user to login into that particular computer. My question is how do
>>>>> I abort the logon process in a logon script? I would like to use
>>>>> either a .bat or .vbs file. Thank you.
>>>>>

Sorry, I missed that little registry detail, thanks for explaining. Given
your non-standard workstation setup, I assume you have procedures in place
to ensure that no system is ever made available to the users until it has
been configured as noted. Seems odd to have to rely on workstation
configuration to protect a server...

Your approach is certainly more detailed, however, not knowing the
complexity of the rules you present to the user it is hard to say whether or
not the vanilla windows approach would work as well for you.

As for your application actually verifying that the users know what they are
doing, do you also ask them if they know what they mean by clicking the OK
button? And should they respond that they do, can you be sure that they
aren't just clicking OK buttons just because they are there? IMHO, to do
what you really want would require them to sit some sort of exam that they
would be unlikely to pass with lucky guesses... ;-)

As to providing the proof of how they responded, that might satisfy
management, but if they were to, for example, charge someone in court or
fire them, the proof might have to stand up to a more difficult test. Until
such time as it has done so, you can only guess that it would meet with
whatever external body was involved in the case.

The way we do it, I know for a fact that most people do not actually read
the disclaimer notice. It is mainly there for our protection, and I believe
there is legal precedent to use this as evidence in a court of law...

So I guess it all depends on your needs and requirements, as you say. But if
your needs are other than legalistic, it still seems to me a bit over the
top. But then, I just noticed your tagline... ;-)


/Al


"Shay Levi" <no@addre.ss> wrote in message
news:8766a944259b58ca60776193f63c@news.microsoft.com...
>
> Hi Al,
>
>
> I didn't rename explorer.exe nor changed it in any way. Windows has a
> registry key that governs which UI (explorer) will be presented
> to the user, you can get a list of such applications here:
>
> http://en.wikipedia.org/wiki/Desktop_shell_replacement
>
>
> Anyway, it is similar to terminal services where you can replace the shell
> to a terminal user. The registry key, "shell", can be found under:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>
> Similar key is available in the Current User Hive.
>
>
> The aggreement application was also writing to a database so "proof" can
> be polled out anytime.
> My requirments was not to disallow users from logging in, it was to verify
> that they know what they are doing an to write it to a database.
> There isn't one way to achieve it, it realy depends on your needs and
> requiremnts.
>
> As for the built-in custom popup message. It lacks design, colors, new
> lines etc.
>
> Finally, to clarify how did I do it:
>
> 1. You write a custom exe file (gui form, it can also have no gui) that
> implement your checks (group membership etc).
> 2. Put it in system32 directory.
> 3. Update the above regkey with tha name of the new exe file.
> 4. When a user logs in, he's presented with your form.
> If he passes all requirments then you manually execute explorer.exe
> otherwise you log him off
>
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>> That certainly seems an interesting approach, however, I wonder what
>> anomalies might result from renaming a standard windows component. Do
>> your users ever call to ask why the user agreement pops up when they
>> try to run explorer from a command prompt window?
>>
>> It seems to me (and others that have commented on the apparent need to
>> do this as expressed in various similar threads) that this is not
>> necessary, and possibly counter-productive, as windows basically does
>> this for you, i.e.:
>>
>> - user enters ctrl-alt-del
>> - typical message pops up stating that only authorized users are
>> allowed to
>> logon.
>> at this point, one of three things happen:
>>
>> - the authorized user logs on
>> - the unauthorized user cancels the logon dialog and goes away
>> - the unauthorized user logs on (if he can)
>> In your scenario:
>>
>> - user enters ctrl-alt-del
>> - some sort of message might popup, I don't know what you do here, and
>> user
>> hits "OK" button.
>> - user logs on
>> - your agreement.exe pops up and asks whatever it asks
>> at this point, one of three things happen:
>>
>> - the authorized user presses "OK", his logon completes, and he starts
>> working.
>> - the unauthorized user presses "Cancel", is logged off, and he goes
>> away.
>> - the unauthorized user presses "OK", his logon completes, and he does
>> whatever he does.
>> In neither scenario (yours or the default windows setting) is
>> unauthorized use actually prevented, as that would only result from an
>> honest unauthorized user.
>>
>> now supposing the owner of the network takes someone to court,
>> charging unauthorized use. In the windows scenario, the judge asks if
>> the person saw or read the message - if he can be believed when he
>> says no, and gets off, then no trespassing signs everywhere will be
>> replaced by machine gun emplacements, as it will be shown that warning
>> signs have no legal standing.
>>
>> so the guy says he read the sign saying he was not allowed to use the
>> system, but complains that there was no cancel button, only an OK
>> button. the judge points out that, knowing he was not supposed to
>> logon, he should have realized that he was meant to cancel the logon
>> dialog.
>>
>> In your scenario, the judge asks the same questions. Since the guy
>> clearly logged on, the judge asks why he hit the "OK" button instead
>> of "Cancel". the guy replies that he did hit cancel, but was not
>> logged off, so he continued using the system, as he was only required
>> to respond to the dialog, which he did.
>>
>> Then the judge turns to you and asks for proof that you program could
>> never ever fail to do what you say it is supposed to do. Since
>> everybody knows that software is not perfect, the guy gets off because
>> it is a case of his word against that of your software.
>>
>> in his decision, the judge explains that, in order to protect your
>> network, you only need to ensure that the rules are known. If your
>> warning sign interacts with the user as you describe, he might get the
>> idea that your policy requires his agreement in order to be valid,
>> that it is, in a way, an optional thing.
>>
>> /Al
>>
>> "Shay Levi" <no@addre.ss> wrote in message
>> news:8766a944258688ca5f55b1c222c8@news.microsoft.com...
>>
>>> True. OK,plan B.
>>>
>>> I did a project once, the requirements were to display a user
>>> aggrement message (gui form with OK/Cancel buttons) once users have
>>> entered their hey network credentials. If the user don't accept the
>>> aggrement then the user must be logged off.
>>>
>>> The trick was to replace explorer.exe with my aggrement exe file (sor
>>> of application in the middle). if the user accepts the aggreement
>>> then I launched explorer.exe otherwise I logged him off.
>>>
>>> I'm not sure if user logon scripts will fire at that stage but cached
>>> credentials certainly won't be an issue.
>>> Anyway, it's worth trying.
>>> -----
>>> Shay Levi
>>> $cript Fanatic
>>> http://scriptolog.blogspot.com
>>>> That will certainly cause the XP system to shutdown when someone
>>>> attempts to logon there that you want to keep out. But it will not
>>>> prevent them from logging on, as the logon script runs *after* they
>>>> logon. If they were to cancel it before it got to the shutdown
>>>> command, then the shutdown command would not run. And having to test
>>>> some group memberships would likely mean that the time window in
>>>> which they could do this would not be so short as to make it
>>>> impossible.
>>>>
>>>> But, even if they could not get in that way, once they have
>>>> successfully logged in, they might be able to unplug the network
>>>> cable, log in with cached credentials, and then reconnect to the
>>>> network.
>>>>
>>>> IMHO, the only reliable way to accomplish what you want is to
>>>> restrict the right to logon in the first place.
>>>>
>>>> /Al
>>>>
>>>> "Shay Levi" <no@addre.ss> wrote in message
>>>> news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>>>>> You can use the builtin shutdown command to force logoff:
>>>>>
>>>>> shutdown -l -f
>>>>>
>>>>> Check the help for shutdown :
>>>>>
>>>>> shutdown /?
>>>>>
>>>>> -----
>>>>> Shay Levi
>>>>> $cript Fanatic
>>>>> http://scriptolog.blogspot.com
>>>>>> I would like to create a domain logon script, that would run on
>>>>>> Windows XP computers, that would test for certain group
>>>>>> memberships. If the tests failed I would like to not allow the
>>>>>> user to login into that particular computer. My question is how do
>>>>>> I abort the logon process in a logon script? I would like to use
>>>>>> either a .bat or .vbs file. Thank you.
>>>>>>
>
>

The application was built for workstations not servers.
I was asked to find a solution and this is what I ended up doing. It passed
all legal requirements,
and I know that lawyers were involved in the process and approved it eventually
( it was for a goverment institute).

If you ask me, it was all to cover their behinds ;-)

It may have been over-the-top, but it was the best solution I found to block
users from getting their desktops loaded prior to
filling the form. Before the application was deployed, all users got an email
describing the process.


> I know for a fact that most people do not actually
> read the disclaimer notice.

That's why we decided to go on a well designed form instead of the built-in
security
warning (that everyone I know just dismiss by hitting the enter key), one
that no one can say: I didn't see it.



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> Sorry, I missed that little registry detail, thanks for explaining.
> Given your non-standard workstation setup, I assume you have
> procedures in place to ensure that no system is ever made available to
> the users until it has been configured as noted. Seems odd to have to
> rely on workstation configuration to protect a server...
>
> Your approach is certainly more detailed, however, not knowing the
> complexity of the rules you present to the user it is hard to say
> whether or not the vanilla windows approach would work as well for
> you.
>
> As for your application actually verifying that the users know what
> they are doing, do you also ask them if they know what they mean by
> clicking the OK button? And should they respond that they do, can you
> be sure that they aren't just clicking OK buttons just because they
> are there? IMHO, to do what you really want would require them to sit
> some sort of exam that they would be unlikely to pass with lucky
> guesses... ;-)
>
> As to providing the proof of how they responded, that might satisfy
> management, but if they were to, for example, charge someone in court
> or fire them, the proof might have to stand up to a more difficult
> test. Until such time as it has done so, you can only guess that it
> would meet with whatever external body was involved in the case.
>
> The way we do it, I know for a fact that most people do not actually
> read the disclaimer notice. It is mainly there for our protection, and
> I believe there is legal precedent to use this as evidence in a court
> of law...
>
> So I guess it all depends on your needs and requirements, as you say.
> But if your needs are other than legalistic, it still seems to me a
> bit over the top. But then, I just noticed your tagline... ;-)
>
> /Al
>
> "Shay Levi" <no@addre.ss> wrote in message
> news:8766a944259b58ca60776193f63c@news.microsoft.com...
>
>> Hi Al,
>>
>> I didn't rename explorer.exe nor changed it in any way. Windows has a
>> registry key that governs which UI (explorer) will be presented
>> to the user, you can get a list of such applications here:
>> http://en.wikipedia.org/wiki/Desktop_shell_replacement
>>
>> Anyway, it is similar to terminal services where you can replace the
>> shell to a terminal user. The registry key, "shell", can be found
>> under:
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Winlogon
>>
>> Similar key is available in the Current User Hive.
>>
>> The aggreement application was also writing to a database so "proof"
>> can
>> be polled out anytime.
>> My requirments was not to disallow users from logging in, it was to
>> verify
>> that they know what they are doing an to write it to a database.
>> There isn't one way to achieve it, it realy depends on your needs and
>> requiremnts.
>> As for the built-in custom popup message. It lacks design, colors,
>> new lines etc.
>>
>> Finally, to clarify how did I do it:
>>
>> 1. You write a custom exe file (gui form, it can also have no gui)
>> that
>> implement your checks (group membership etc).
>> 2. Put it in system32 directory.
>> 3. Update the above regkey with tha name of the new exe file.
>> 4. When a user logs in, he's presented with your form.
>> If he passes all requirments then you manually execute explorer.exe
>> otherwise you log him off
>> -----
>> Shay Levi
>> $cript Fanatic
>> http://scriptolog.blogspot.com
>>> That certainly seems an interesting approach, however, I wonder what
>>> anomalies might result from renaming a standard windows component.
>>> Do your users ever call to ask why the user agreement pops up when
>>> they try to run explorer from a command prompt window?
>>>
>>> It seems to me (and others that have commented on the apparent need
>>> to do this as expressed in various similar threads) that this is not
>>> necessary, and possibly counter-productive, as windows basically
>>> does this for you, i.e.:
>>>
>>> - user enters ctrl-alt-del
>>> - typical message pops up stating that only authorized users are
>>> allowed to
>>> logon.
>>> at this point, one of three things happen:
>>> - the authorized user logs on
>>> - the unauthorized user cancels the logon dialog and goes away
>>> - the unauthorized user logs on (if he can)
>>> In your scenario:
>>> - user enters ctrl-alt-del
>>> - some sort of message might popup, I don't know what you do here,
>>> and
>>> user
>>> hits "OK" button.
>>> - user logs on
>>> - your agreement.exe pops up and asks whatever it asks
>>> at this point, one of three things happen:
>>> - the authorized user presses "OK", his logon completes, and he
>>> starts
>>> working.
>>> - the unauthorized user presses "Cancel", is logged off, and he goes
>>> away.
>>> - the unauthorized user presses "OK", his logon completes, and he
>>> does
>>> whatever he does.
>>> In neither scenario (yours or the default windows setting) is
>>> unauthorized use actually prevented, as that would only result from
>>> an
>>> honest unauthorized user.
>>> now supposing the owner of the network takes someone to court,
>>> charging unauthorized use. In the windows scenario, the judge asks
>>> if the person saw or read the message - if he can be believed when
>>> he says no, and gets off, then no trespassing signs everywhere will
>>> be replaced by machine gun emplacements, as it will be shown that
>>> warning signs have no legal standing.
>>>
>>> so the guy says he read the sign saying he was not allowed to use
>>> the system, but complains that there was no cancel button, only an
>>> OK button. the judge points out that, knowing he was not supposed to
>>> logon, he should have realized that he was meant to cancel the logon
>>> dialog.
>>>
>>> In your scenario, the judge asks the same questions. Since the guy
>>> clearly logged on, the judge asks why he hit the "OK" button instead
>>> of "Cancel". the guy replies that he did hit cancel, but was not
>>> logged off, so he continued using the system, as he was only
>>> required to respond to the dialog, which he did.
>>>
>>> Then the judge turns to you and asks for proof that you program
>>> could never ever fail to do what you say it is supposed to do. Since
>>> everybody knows that software is not perfect, the guy gets off
>>> because it is a case of his word against that of your software.
>>>
>>> in his decision, the judge explains that, in order to protect your
>>> network, you only need to ensure that the rules are known. If your
>>> warning sign interacts with the user as you describe, he might get
>>> the idea that your policy requires his agreement in order to be
>>> valid, that it is, in a way, an optional thing.
>>>
>>> /Al
>>>
>>> "Shay Levi" <no@addre.ss> wrote in message
>>> news:8766a944258688ca5f55b1c222c8@news.microsoft.com...
>>>> True. OK,plan B.
>>>>
>>>> I did a project once, the requirements were to display a user
>>>> aggrement message (gui form with OK/Cancel buttons) once users have
>>>> entered their hey network credentials. If the user don't accept the
>>>> aggrement then the user must be logged off.
>>>>
>>>> The trick was to replace explorer.exe with my aggrement exe file
>>>> (sor of application in the middle). if the user accepts the
>>>> aggreement then I launched explorer.exe otherwise I logged him off.
>>>>
>>>> I'm not sure if user logon scripts will fire at that stage but
>>>> cached
>>>> credentials certainly won't be an issue.
>>>> Anyway, it's worth trying.
>>>> -----
>>>> Shay Levi
>>>> $cript Fanatic
>>>> http://scriptolog.blogspot.com
>>>>> That will certainly cause the XP system to shutdown when someone
>>>>> attempts to logon there that you want to keep out. But it will not
>>>>> prevent them from logging on, as the logon script runs *after*
>>>>> they logon. If they were to cancel it before it got to the
>>>>> shutdown command, then the shutdown command would not run. And
>>>>> having to test some group memberships would likely mean that the
>>>>> time window in which they could do this would not be so short as
>>>>> to make it impossible.
>>>>>
>>>>> But, even if they could not get in that way, once they have
>>>>> successfully logged in, they might be able to unplug the network
>>>>> cable, log in with cached credentials, and then reconnect to the
>>>>> network.
>>>>>
>>>>> IMHO, the only reliable way to accomplish what you want is to
>>>>> restrict the right to logon in the first place.
>>>>>
>>>>> /Al
>>>>>
>>>>> "Shay Levi" <no@addre.ss> wrote in message
>>>>> news:8766a9442519c8ca5d72e052d6da@news.microsoft.com...
>>>>>> You can use the builtin shutdown command to force logoff:
>>>>>>
>>>>>> shutdown -l -f
>>>>>>
>>>>>> Check the help for shutdown :
>>>>>>
>>>>>> shutdown /?
>>>>>>
>>>>>> -----
>>>>>> Shay Levi
>>>>>> $cript Fanatic
>>>>>> http://scriptolog.blogspot.com
>>>>>>> I would like to create a domain logon script, that would run on
>>>>>>> Windows XP computers, that would test for certain group
>>>>>>> memberships. If the tests failed I would like to not allow the
>>>>>>> user to login into that particular computer. My question is how
>>>>>>> do I abort the logon process in a logon script? I would like to
>>>>>>> use either a .bat or .vbs file. Thank you.
>>>>>>>