?
Solved

Deny Logon Locally GPO setting scriptable?

Posted on 2004-04-20
8
Medium Priority
?
1,262 Views
Last Modified: 2012-06-27
I'm trying to proigram a time-based (not idle time) logout for some public systems - I don't know if its doable but what I'd like to do is run a scheduled task on login that would wait 30 minutes before calling a logout and prohibiting the currently logged in user from immediately logging in again.  To that end I'm trying to figure out how to mimic the GPO LM/Security/Deny Logon locally in order to place the user on the deny list.  

I'd like an explanation of what that security setting modifies (registry/SAM/?) becasue I'm fairly clueless and whether there is scripting or programmatic access to accomplish the same thing.
0
Comment
Question by:baal32
  • 4
  • 4
8 Comments
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872163
How long would you want the user to not be able to login?
0
 

Author Comment

by:baal32
ID: 10872744
I don't know exactly - probably between 30 minutes and an hour...
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872914
Most likely I'd use "shutdown.exe -l -f" to accomplish the logoff.
For the user I'd use "net user username /diable" to make it so that user cannot log in.
Then either reenable account manually, or schedule "net user username /enable"
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:baal32
ID: 10873121
Well... there's no net user username /disable command, although there is a "net user username /active:{yes:no}".  Will this disable the user's domain account altogether though?  I just need them not to be able to logon to that particular system until someone else has logged on (at which time I will reenable the previous user's ability to logon locally...)  The idea is that we make sure no person is on any one system for longer than x minutes - this shouldn't stop them from being able to go to another system hoever (if other systems are available...)
0
 
LVL 24

Accepted Solution

by:
Kenneniah earned 1000 total points
ID: 10873362
LOL oops, yes it is /active for net user, and yes it will disable the domain account completely.

If you have the Windows 2000 Resource Kit use ntrights.exe.
http://support.microsoft.com/default.aspx?kbid=315276
0
 

Author Comment

by:baal32
ID: 10880410
The following are the available security priveleges for this tool (ntrights.exe) ...  I was hoping to see something signifying local logon...  So is the security file which contains the local logon prohibnitions secedit.sdb?  SHould I be trying to moidify this directly?  

 SeCreateTokenPrivilege
 SeAssignPrimaryTokenPrivilege
 SeLockMemoryPrivilege
 SeIncreaseQuotaPrivilege
 SeUnsolicitedInputPrivilege
 SeMachineAccountPrivilege
 SeTcbPrivilege
 SeSecurityPrivilege
 SeTakeOwnershipPrivilege
 SeLoadDriverPrivilege
 SeSystemProfilePrivilege
 SeSystemtimePrivilege
 SeProfileSingleProcessPrivilege
 SeIncreaseBasePriorityPrivilege
 SeCreatePagefilePrivilege
 SeCreatePermanentPrivilege
 SeBackupPrivilege
 SeRestorePrivilege
 SeShutdownPrivilege
 SeAuditPrivilege
 SeSystemEnvironmentPrivilege
 SeChangeNotifyPrivilege
 SeRemoteShutdownPrivilege
0
 

Author Comment

by:baal32
ID: 10881198
Cool Kennenniah - the list of available rights doesn't mention the SeDenyInteractiveLogonRight but its still available.

Thanks
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10891998
Glad it worked for you!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Watch the software video of Kernel Import PST to Office 365 tools which can easily import PST and OST files to Office 365 for bulk mailboxes. The process of migration is simple and user can map source and destination mailboxes and easily import data…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question