Solved

Automatic Logon, Local logonscript refuses to run

Posted on 2004-08-06
2
215 Views
Last Modified: 2013-12-04
Hello,

I've got a stand-alone Windows XP Pro Sp1-computer, which I want to secure.
This computer will be used by some of clients in my company.
I do not want to give them rights to change something.
So I've created a registry-file which hide\disables almost anything for the regular local user.
This file is called upon during logon, via the Logon script in the propertiestab of the local user.

I've got a similar script for the administrator, which unhides\enables everything which used to be hidden. Everything works like a charm. Changes to any of the two files will be incorporated after the next reboot.

But then I wanted to use the automatic logon-feature:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="computername"
"DefaultUserName"="username"
"ForceAutoLogon"="1"
"DefaultPassword"="userpassword"
"AutoAdminLogon"="1"

Automatic logon works, but now the script for the regular user fails to run.
Any changes I made to the registry-file will not be incorporated in the registry.
If I logon manually with the user, the changes will be made.

So the combination logon-scripts and Autologon is at fault.

Does anybody know how I can resolve this problem?

0
Comment
Question by:Lioncasa
2 Comments
 
LVL 11

Accepted Solution

by:
mwnnj earned 250 total points
Comment Utility
Hi , if you have a pc to secure then you should probably throw away this autolog-on function... cuz with the autolog-on function things are everething but secure.
So take a look at this link:
http://www.kellys-korner-xp.com/win_xp_passwords.htm ,
"...
How to Enable Automatic Logon in Windows

If you set a computer for auto logon, anyone who can physically obtain access to the computer can gain access to all of the computer contents, including any network or networks it is connected to. In addition, if you enable autologon, the password is stored in the registry in plaintext. The specific registry key that stores this value is remotely readable by the Authenticated Users group. ..."
 Please,take a look at the whole article and read carefully the whole point:"How to Enable Automatic Logon in Windows "

I found an another way that you can enable the automatic logon function in windows xp:

http://www.microsoft.com/windowsxp/using/setup/learnmore/tips/knox2.mspx


So,about your question;what i think about that:

If you want to manage different accounts on your system/pc then you need a separator ,something that will say :ok you want a new session to run the system ;which account you want to enter?You know in windows XP you have the chance to run multiple accounts under the current session but you need every time to use the log-on function of windows - the separator for this accounts .See if you want that the account Tom(any account type;not Guest account!) has its own startup and restrictions then you need the separator who will say :ok,you have told me to run this account every time with its specific startup and the restrictions you have made!"-This is the role of the winlogon.exe,this file manages the entry of your system,that you can choose a different account from the other accounts ,which is specific....The account Tom has its own startup which will not affect the other accounts on the system,and if you have other user or super user or admin accounts on the system -they will not affect the account Tom with their own setups and restrictions.You understand that if you enter an admin account you can change the startup for Tom and the restrictions ,let's say the old restrictions...you know that better!But the point is if you use the autolog-on function in windows...it is the same thing as if you want that guest account have permission to the system without the logon prompt...You know that you can run guest account  with the default startup for this account in windows and every time you specify something in this account it will disappear the next time you enter the account-it's guest account ,it must not have its own specific profile!
So if you have a network or internet and your standalone pc enters the network sometimes-then i will recommend that you disable the autologon,cuz it's unsecure!!!
Let's say your pc is really standalone:no network ,nor internet!,so if you want to keep this autolog-on function,why don't you make the restrictions and the specific startup under the local machine account.Use any startup manager or even easy the regedit.exe goto the node :
\HKEY_Local_Machine\Software\Windows\CurrentVersion\Run(for Win2k!!!;in WinXP can be little different!) and there you can make the link to you registry file/script for this speciffic startup will take affect under all of the accounts on your system:Warning!...You can then make the restrictions you want to make for the user account under the local machine account for to take effect.


What was the Warning about:
1)how many user restrictions did you make;i mean : 1.1) do you have only one restriction/startup
for user account and one for admin account or 1.2) you have different user accounts and every account has its own specific startup/restrictions.If is the second then you have no chance with autologon.If it's the first then read furthur.

2)If you make this restrictions under local machine than i'm not sure that you can enter your admin account with its own startup/restrictions ,cuz local machine is hierarchically stronger than the admin account.Probably it will become a mess;so just try and find out what will happen:make the restrictions/autostart for all accounts under local machine - if everything works fine-enter again your admin account as normal and see what will happen afterall,but see
it's dangerous for it could happen that you can't work properly under the admin accoun(i doubt it, but it's windows: you don't know what will happen ,till it occurs).So ,i don't whant that you will reinstall the whole system afterall !
ADVICE: simulate the whole thing on another pc that is not so importaint and find out what will happen.DO NOT PLAY WITH YOUR SYSTEM!I know that the system account is also hierchically stronger than the admin account ,i don't know if it's separated from the local machine account.You can start the system account with the task scheduler ,but see if you make a standalone pc with no restrictions for task scheduler for everyone that can enter the system account-it's everything but secure system!

3)  THEESE ARE MY ADVICES AND I AM NOT 100% SURE WHAT WILL HAPPEN IF...,SO DON'T PLAY WITH YOUR SYSTEM!
 

My advice for sure is, that you go further useing you log-on function,just forget about this autolog-on it's not secure!

OK, if i find something more i'll post it straight away here.
Good luck!

till later
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now