Solved

Auto Logon And Lock Workstation

Posted on 1998-10-23
40
938 Views
Last Modified: 2013-12-28
I have setup auto login for a user at a standalone server.
How do I then lock the workstation so unattended reboots are secure.

When the auto logon executes, the console is open for anyones use.  
After five minutes the screen saver activates.

I think there should be some command I could add to the startup script
for the auto logon user
0
Comment
Question by:NullTerminator
  • 14
  • 13
  • 9
  • +3
40 Comments
 
LVL 3

Author Comment

by:NullTerminator
ID: 1793991
Edited text of question
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1793992
Edited text of question
0
 

Expert Comment

by:Grim092898
ID: 1793993
LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run can be used to run a command right after login.  Don't know what command one would run, but if you can find an exe that will lock the workstation you could use this regkey to run it.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1793994
What about setting the screen saver time interval to 0?
0
 
LVL 7

Expert Comment

by:dankh
ID: 1793995
Null,

   I asked the same question and the answer was you can't do it unless you have a dll rewritten for the very purpose.  I had to settle for disabling Autologon to set the machine in Lock Workstation mode.
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1793996
great idea jkr...then whenever you have a second of a pause the screen saver activates and you have to unlock the workstation.

this seems to be a very common question and the only way I have been able to answer it (and the only answers I've seen were enable autologon and then use the Run key in the registry (see Grim) to start some small and free screen saver launcher. This way you won't have to deal with the idle period anymore.

now when a reboot occurs, the computer goes into lock mode until it is unlocked at which point normal execution starts. Do not put the screen saver launcher into the StartUp group of the start menu as this can be stopped by holding the shift key during logon...

if you end up emplying this method, then please reopen this thread so that I can answer it.
0
 
LVL 7

Expert Comment

by:dankh
ID: 1793997
Null,

  Mad has a great idea about starting the screensaver instantly.  However, i ain't much of a hacker, but i can think of 2 ways to bypass and hack through the cheesy screensaver password.  
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1793998
even in NT? I know Windows 3.x/9x is a joke, but NT is quite good at locking!
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1793999
Our situation requires an autologon for now.  I need to execute the user logon script to trigger other events, part which allows me to connect as a webserver to an as400.

I have no problem kicking the screen saver. I can do it from the startup script.  But on mouse movement the console opens up unsecured until the timer expires.  I had the timer set to 10 seconds.  Maybe there are undocumentted command line switches for screen savers....

What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794000
Our situation requires an autologon for now.  I need to execute the user logon script to trigger other events, part which allows me to connect as a webserver to an as400.

I have no problem kicking the screen saver. I can do it from the startup script.  But on mouse movement the console opens up unsecured until the timer expires.  I had the timer set to 10 seconds.  Maybe there are undocumentted command line switches for screen savers....

What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794001
I don't think you got my point: the screen saver is launched immediately and thus mouse movement will only cause it to disappear and show the locked ws box. I have yet to see an API you can use and this is about the 5th question of this kind that I have helped to answer...
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794002
MaDdUCK,
I understood your point.  I had already tried that.  It works fine in Win 95, but in NT it reverts to the state of the console before the screen saver was invoked.  If the normal timeout on the "console's" screen saver is one minute, and 55 seconds have elapsed since boot finished and the screen saver was invoked, and I move the mouse, the console reopens without a password and the timer resets.  It does not show the Workstation Unlock box as we both expected.

Does yours lock the work station if you kcik the screensaver from the start run box?

I have the screen saver's password box checked, and the screensaver works properly when the console timer expires.  am using NT 40 sp3 optpack4 black16.scr

To dankh:
NT screensavers kick you to NT's unlock workstation box, not the cheesy Win95 version

null
0
 
LVL 7

Expert Comment

by:dankh
ID: 1794003
Null,

   Maybe so, but i can still hack my way through it easily.  I have done it before.  :)
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794004
I can see possibilities for hacking through or around the screen saver, but are you hacking the password feature?
'\0'
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794005
dankh: you mind sharing how you do that?

NullT: it works for me and as I said it worked for the five others. I don't understand what your problem is--why does the timeout matter if you launch the screen saver from an external program. Once it is invoked it will go its way and therefore you will not be able to move the mouse to avoid it without seeing the lock box...
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794006
I don't understand what my problem is either.  That's why I'm here.  It works fine for me in 95 on several machines.  I have screen saver starting from startup group, and also from a short cut on my desktop.  I don't have a screen saver set in the display properties box at all.  When I walk away from my PC I click the shortcut on my desktop and it is locked.  It requires a pass word to unlock it.

In NT, starting from the logon script activates the screen saver, but requires no password if the workstation is "unlocked" beneath the screen saver.  If I manually fire the screen saver, while the workstation is unlocked and move the mouse it returns to the unlocked state with no question.  Does your  installation behave this way?  How are you invoking the screen saver?

If I initiate the screen saver from the RUN key of the registry, it starts for a moment, then disappears when Explorer refreshes.  I left explorer and control panel open when I shut down and so they reopen when I start up again.

Perhaps some of the others you have helped can shed some light by reviewing their configurations and telling me how they invoke the screen saver.

I hope I am making this clear for you.
'\0'

ps
One way you can defeat screen savers on a fat drive is startup in dos and delete or rename all *.scrs,  Or in 95 you can startup in safe mode and edit start menu, or registry.
'
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794007
okay, now I know what's going on. You have to start the screen saver not by executing screensaver.scr /s or the like, but with a launcher!!! you can get those at www.winfiles.com or www.download.com and all they do when executed is launch the currently defined screen saver. This way the password option will be enabled. Get a launcher and try it out, I am very positive this is the solution.
0
 
LVL 7

Expert Comment

by:dankh
ID: 1794008
Mad,

   Launcher?  Couldn't you stop that from autoloading by holding down a key during boot?  

I don't know if i should share the info about hacking through a password protected machine on EE.  
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794009
only if you put it into the startup group. if you put it into the logon script or the run registry key then it will run no matter what.
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794010
about hacking info-I don't think there should be a problem in posting it, but if you prefer no to, could you please send me the info via email to madduck@flix.de? I am very interested because I am in charge of the NT security of some local networks at my college and we need high security settings, including making sure that noone uses workstations without authorization.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 7

Expert Comment

by:dankh
ID: 1794011
Mad,

  Ok, i will post it here.  If you use a screensaver to execute the lockworkstation at boot up, all i would have to do is delete the screensaver(s) from your WinNt folder.  I would restart the computer with any setup disk, get to a prompt, access your Winnt folder and delete the screensaver.  Upon boot, i will automatically be logged on, and i will receive an error that the computer couldn't find xxxxx.scr.  
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794012
okay, but what if the system partition is NTFS?
0
 
LVL 7

Expert Comment

by:dankh
ID: 1794013
Mad,

Hmmm, you are throwing in new variables! :)  NTFS is a far more superior than FAt for security.  I am sure there are ways around that, if i look hard enough.  :)
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794014
well, if someone has a server with FAT as system partition, then this someonee cannot be too concerned about security!!! so cracks and hacks here have no point. If you can crack the NTFS scenario then I'd be impressed!
0
 
LVL 7

Expert Comment

by:dankh
ID: 1794015
Mad,

  It can be done.  Like i said, i ain't much of a hacker.  But i am sure i can do it if i apply myself and my resources.  
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794016
Name the launcher you recommend for NT
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794017
Mad
re FAT system partition,  this is actually a recommended installation.  system on a fat drive, data on NTFS.  Most of our NT boxes are configured this way.  If for some reason some system file or configuration file gets corrupted you can boot to an alternate operating system and fix it.  Boot files on a FAT is necessary in cases of multi boot systems.

In terms of server security, you may be liable to a denial of service attack, but the data is protected on the NTFS partition.

To beat people from deleting the scr file you put that on the NTFS volume and call as normal.

Since this discussion seems to be non productive, I will soon withdraw the question and possibly repost with more explicit detail of the problem.

Thanks for your comments, but to date "I've been there, done that."
'\0'
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794018
did my method not work?
I am pretty sure this is the only solution.
0
 
LVL 8

Expert Comment

by:Koen
ID: 1794019
MaDdUCK,
There are several routines available to mount NTFS volumes from dos without the security...
Null,
I'd reconsider about the FAT partitions... NTFS is far more secure (and multi boot, should not be allowed in a bussiness environment --> cuases nothing but pain!).
You are right about the saver thoug... kicking it launches it unprotected! you need a launcher as MaDdUCK said... and he is right again that it is the only solution
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794020
ghinstek:
well, but write access if limited or not available (ref: NTFSDOS by www.ntinternals.com). So at least your data is somewhat protected from alterations.

'\0':
trust me, this is the solution and thus I will reanswer. I have yet to find a free launcher which is good and easy to use..I may end up writing one some time! If you have microsoft office 95 you can launch your screen saver with msoffice.exe /s and with office 97, osa.exe /s.

I will keep looking (winfiles.com, download.com etc. are the places to go)  and you shall hear from me as soon as I found one. maybe you want to ask in the win or c++ programming area as to how to code a launcher if you'd want to do it yourself.
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794021
Mad,

To date your suggestion did not work.  I have not found launcher for NT that causes the under lying console to be locked when the screen saver releases.  It works fine in Win 95, but not in NT.

Do you have a launcher that will?

ghinstek,
I won't argue that NTFS is not superior.  We may convert at some point.  For now we are trying to get the various platforms communicating.  I  think the net result is I will have to forgo auto login and find some other way of defining the user account under which client access talks to the 400.

thanks
'\0'
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794022
osa.exe /s fire screen saver, but does not require password to unlock.

Ability - an application launcher will fire ss on demand, still no password
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794023
you are right...I tried it now. sorry then!

I will keep looking. did you ask in the programming areas?
0
 
LVL 7

Expert Comment

by:dankh
ID: 1794024
Geeze,

  You guys still on this problem??
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794025
looks like it, huh?
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794026
OK, we're on track and can see the problem.  Somehow clicking the Lock Workstation button for the NT Security Box causes the Workstation to lock.  There must be an API or underlying function call responding to that event.  I need to trigger that event.

I didn't ask in the programming areas yet.  I was hoping jkr might jump in on this one.

An alternative answer would suit me.  If I can't work out security issues with autologon,  then how can I cause a drive mapping such as net use, with /USER: and password if NO ONE logs onto the system.  I've tried net start, net user.... in the autoexec.bat,  no effect.  I have called same commands in bat file called from run key and also run services key.  Run doesn't fire until someone logs on,  run services din't work, but I'm not sure when it triggers (except sooner).  The server in question is a standalone in a small work group, connecting to a BDC in another domain.  I don't want to join that domain or set up trusts because the application will eventually move to a corporate web server.  

'\0'
0
 
LVL 8

Expert Comment

by:Koen
ID: 1794027
Null,

I've seen a little service like bat file which is supposed to run before logon and calls a batfile... it is called autoexnt and you can find it at
http://www.jsiinc.com/TIP0000/rh0006.htm

I have never tried it so I don't know if it'll do the trick...
0
 
LVL 8

Expert Comment

by:MaDdUCK
ID: 1794028
autoexnt unfortunately does only execute upon logon.
0
 
LVL 7

Accepted Solution

by:
dankh earned 150 total points
ID: 1794029
Null,


    Ok, i think i found the answer to your problem (and mine).  It involves a $5 utility.  Check it out:

http://posum.com/worklock.html
0
 
LVL 3

Author Comment

by:NullTerminator
ID: 1794030
To dankh,

It works.  It's not fancy, but it fires from the run key without a problem.  I imagine the startup script will behave as well.

Thanks for the help.
'\0'
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Windows Mobile Barcode Scanning These days almost every product has a barcode in some way... amongst there are 1D barcodes en 2D barcodes.. From http://www.barcodeman.com/faq/2d.php I found some handy definitions and insights. 1D barcodes …
This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now