Solved

Deny Logon Locally GPO setting scriptable?

Posted on 2004-04-20
8
1,228 Views
Last Modified: 2012-06-27
I'm trying to proigram a time-based (not idle time) logout for some public systems - I don't know if its doable but what I'd like to do is run a scheduled task on login that would wait 30 minutes before calling a logout and prohibiting the currently logged in user from immediately logging in again.  To that end I'm trying to figure out how to mimic the GPO LM/Security/Deny Logon locally in order to place the user on the deny list.  

I'd like an explanation of what that security setting modifies (registry/SAM/?) becasue I'm fairly clueless and whether there is scripting or programmatic access to accomplish the same thing.
0
Comment
Question by:baal32
  • 4
  • 4
8 Comments
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872163
How long would you want the user to not be able to login?
0
 

Author Comment

by:baal32
ID: 10872744
I don't know exactly - probably between 30 minutes and an hour...
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872914
Most likely I'd use "shutdown.exe -l -f" to accomplish the logoff.
For the user I'd use "net user username /diable" to make it so that user cannot log in.
Then either reenable account manually, or schedule "net user username /enable"
0
 

Author Comment

by:baal32
ID: 10873121
Well... there's no net user username /disable command, although there is a "net user username /active:{yes:no}".  Will this disable the user's domain account altogether though?  I just need them not to be able to logon to that particular system until someone else has logged on (at which time I will reenable the previous user's ability to logon locally...)  The idea is that we make sure no person is on any one system for longer than x minutes - this shouldn't stop them from being able to go to another system hoever (if other systems are available...)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 24

Accepted Solution

by:
Kenneniah earned 250 total points
ID: 10873362
LOL oops, yes it is /active for net user, and yes it will disable the domain account completely.

If you have the Windows 2000 Resource Kit use ntrights.exe.
http://support.microsoft.com/default.aspx?kbid=315276
0
 

Author Comment

by:baal32
ID: 10880410
The following are the available security priveleges for this tool (ntrights.exe) ...  I was hoping to see something signifying local logon...  So is the security file which contains the local logon prohibnitions secedit.sdb?  SHould I be trying to moidify this directly?  

 SeCreateTokenPrivilege
 SeAssignPrimaryTokenPrivilege
 SeLockMemoryPrivilege
 SeIncreaseQuotaPrivilege
 SeUnsolicitedInputPrivilege
 SeMachineAccountPrivilege
 SeTcbPrivilege
 SeSecurityPrivilege
 SeTakeOwnershipPrivilege
 SeLoadDriverPrivilege
 SeSystemProfilePrivilege
 SeSystemtimePrivilege
 SeProfileSingleProcessPrivilege
 SeIncreaseBasePriorityPrivilege
 SeCreatePagefilePrivilege
 SeCreatePermanentPrivilege
 SeBackupPrivilege
 SeRestorePrivilege
 SeShutdownPrivilege
 SeAuditPrivilege
 SeSystemEnvironmentPrivilege
 SeChangeNotifyPrivilege
 SeRemoteShutdownPrivilege
0
 

Author Comment

by:baal32
ID: 10881198
Cool Kennenniah - the list of available rights doesn't mention the SeDenyInteractiveLogonRight but its still available.

Thanks
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10891998
Glad it worked for you!
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now