Solved

Deny Logon Locally GPO setting scriptable?

Posted on 2004-04-20
8
1,241 Views
Last Modified: 2012-06-27
I'm trying to proigram a time-based (not idle time) logout for some public systems - I don't know if its doable but what I'd like to do is run a scheduled task on login that would wait 30 minutes before calling a logout and prohibiting the currently logged in user from immediately logging in again.  To that end I'm trying to figure out how to mimic the GPO LM/Security/Deny Logon locally in order to place the user on the deny list.  

I'd like an explanation of what that security setting modifies (registry/SAM/?) becasue I'm fairly clueless and whether there is scripting or programmatic access to accomplish the same thing.
0
Comment
Question by:baal32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872163
How long would you want the user to not be able to login?
0
 

Author Comment

by:baal32
ID: 10872744
I don't know exactly - probably between 30 minutes and an hour...
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10872914
Most likely I'd use "shutdown.exe -l -f" to accomplish the logoff.
For the user I'd use "net user username /diable" to make it so that user cannot log in.
Then either reenable account manually, or schedule "net user username /enable"
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:baal32
ID: 10873121
Well... there's no net user username /disable command, although there is a "net user username /active:{yes:no}".  Will this disable the user's domain account altogether though?  I just need them not to be able to logon to that particular system until someone else has logged on (at which time I will reenable the previous user's ability to logon locally...)  The idea is that we make sure no person is on any one system for longer than x minutes - this shouldn't stop them from being able to go to another system hoever (if other systems are available...)
0
 
LVL 24

Accepted Solution

by:
Kenneniah earned 250 total points
ID: 10873362
LOL oops, yes it is /active for net user, and yes it will disable the domain account completely.

If you have the Windows 2000 Resource Kit use ntrights.exe.
http://support.microsoft.com/default.aspx?kbid=315276
0
 

Author Comment

by:baal32
ID: 10880410
The following are the available security priveleges for this tool (ntrights.exe) ...  I was hoping to see something signifying local logon...  So is the security file which contains the local logon prohibnitions secedit.sdb?  SHould I be trying to moidify this directly?  

 SeCreateTokenPrivilege
 SeAssignPrimaryTokenPrivilege
 SeLockMemoryPrivilege
 SeIncreaseQuotaPrivilege
 SeUnsolicitedInputPrivilege
 SeMachineAccountPrivilege
 SeTcbPrivilege
 SeSecurityPrivilege
 SeTakeOwnershipPrivilege
 SeLoadDriverPrivilege
 SeSystemProfilePrivilege
 SeSystemtimePrivilege
 SeProfileSingleProcessPrivilege
 SeIncreaseBasePriorityPrivilege
 SeCreatePagefilePrivilege
 SeCreatePermanentPrivilege
 SeBackupPrivilege
 SeRestorePrivilege
 SeShutdownPrivilege
 SeAuditPrivilege
 SeSystemEnvironmentPrivilege
 SeChangeNotifyPrivilege
 SeRemoteShutdownPrivilege
0
 

Author Comment

by:baal32
ID: 10881198
Cool Kennenniah - the list of available rights doesn't mention the SeDenyInteractiveLogonRight but its still available.

Thanks
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 10891998
Glad it worked for you!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question