[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1260
  • Last Modified:

Deny Logon Locally GPO setting scriptable?

I'm trying to proigram a time-based (not idle time) logout for some public systems - I don't know if its doable but what I'd like to do is run a scheduled task on login that would wait 30 minutes before calling a logout and prohibiting the currently logged in user from immediately logging in again.  To that end I'm trying to figure out how to mimic the GPO LM/Security/Deny Logon locally in order to place the user on the deny list.  

I'd like an explanation of what that security setting modifies (registry/SAM/?) becasue I'm fairly clueless and whether there is scripting or programmatic access to accomplish the same thing.
0
baal32
Asked:
baal32
  • 4
  • 4
1 Solution
 
KenneniahCommented:
How long would you want the user to not be able to login?
0
 
baal32Author Commented:
I don't know exactly - probably between 30 minutes and an hour...
0
 
KenneniahCommented:
Most likely I'd use "shutdown.exe -l -f" to accomplish the logoff.
For the user I'd use "net user username /diable" to make it so that user cannot log in.
Then either reenable account manually, or schedule "net user username /enable"
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
baal32Author Commented:
Well... there's no net user username /disable command, although there is a "net user username /active:{yes:no}".  Will this disable the user's domain account altogether though?  I just need them not to be able to logon to that particular system until someone else has logged on (at which time I will reenable the previous user's ability to logon locally...)  The idea is that we make sure no person is on any one system for longer than x minutes - this shouldn't stop them from being able to go to another system hoever (if other systems are available...)
0
 
KenneniahCommented:
LOL oops, yes it is /active for net user, and yes it will disable the domain account completely.

If you have the Windows 2000 Resource Kit use ntrights.exe.
http://support.microsoft.com/default.aspx?kbid=315276
0
 
baal32Author Commented:
The following are the available security priveleges for this tool (ntrights.exe) ...  I was hoping to see something signifying local logon...  So is the security file which contains the local logon prohibnitions secedit.sdb?  SHould I be trying to moidify this directly?  

 SeCreateTokenPrivilege
 SeAssignPrimaryTokenPrivilege
 SeLockMemoryPrivilege
 SeIncreaseQuotaPrivilege
 SeUnsolicitedInputPrivilege
 SeMachineAccountPrivilege
 SeTcbPrivilege
 SeSecurityPrivilege
 SeTakeOwnershipPrivilege
 SeLoadDriverPrivilege
 SeSystemProfilePrivilege
 SeSystemtimePrivilege
 SeProfileSingleProcessPrivilege
 SeIncreaseBasePriorityPrivilege
 SeCreatePagefilePrivilege
 SeCreatePermanentPrivilege
 SeBackupPrivilege
 SeRestorePrivilege
 SeShutdownPrivilege
 SeAuditPrivilege
 SeSystemEnvironmentPrivilege
 SeChangeNotifyPrivilege
 SeRemoteShutdownPrivilege
0
 
baal32Author Commented:
Cool Kennenniah - the list of available rights doesn't mention the SeDenyInteractiveLogonRight but its still available.

Thanks
0
 
KenneniahCommented:
Glad it worked for you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now