Solved

Automatic Logon, Local logonscript refuses to run

Posted on 2004-08-06
2
248 Views
Last Modified: 2013-12-04
Hello,

I've got a stand-alone Windows XP Pro Sp1-computer, which I want to secure.
This computer will be used by some of clients in my company.
I do not want to give them rights to change something.
So I've created a registry-file which hide\disables almost anything for the regular local user.
This file is called upon during logon, via the Logon script in the propertiestab of the local user.

I've got a similar script for the administrator, which unhides\enables everything which used to be hidden. Everything works like a charm. Changes to any of the two files will be incorporated after the next reboot.

But then I wanted to use the automatic logon-feature:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="computername"
"DefaultUserName"="username"
"ForceAutoLogon"="1"
"DefaultPassword"="userpassword"
"AutoAdminLogon"="1"

Automatic logon works, but now the script for the regular user fails to run.
Any changes I made to the registry-file will not be incorporated in the registry.
If I logon manually with the user, the changes will be made.

So the combination logon-scripts and Autologon is at fault.

Does anybody know how I can resolve this problem?

0
Comment
Question by:Lioncasa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
mwnnj earned 250 total points
ID: 11863355
Hi , if you have a pc to secure then you should probably throw away this autolog-on function... cuz with the autolog-on function things are everething but secure.
So take a look at this link:
http://www.kellys-korner-xp.com/win_xp_passwords.htm ,
"...
How to Enable Automatic Logon in Windows

If you set a computer for auto logon, anyone who can physically obtain access to the computer can gain access to all of the computer contents, including any network or networks it is connected to. In addition, if you enable autologon, the password is stored in the registry in plaintext. The specific registry key that stores this value is remotely readable by the Authenticated Users group. ..."
 Please,take a look at the whole article and read carefully the whole point:"How to Enable Automatic Logon in Windows "

I found an another way that you can enable the automatic logon function in windows xp:

http://www.microsoft.com/windowsxp/using/setup/learnmore/tips/knox2.mspx


So,about your question;what i think about that:

If you want to manage different accounts on your system/pc then you need a separator ,something that will say :ok you want a new session to run the system ;which account you want to enter?You know in windows XP you have the chance to run multiple accounts under the current session but you need every time to use the log-on function of windows - the separator for this accounts .See if you want that the account Tom(any account type;not Guest account!) has its own startup and restrictions then you need the separator who will say :ok,you have told me to run this account every time with its specific startup and the restrictions you have made!"-This is the role of the winlogon.exe,this file manages the entry of your system,that you can choose a different account from the other accounts ,which is specific....The account Tom has its own startup which will not affect the other accounts on the system,and if you have other user or super user or admin accounts on the system -they will not affect the account Tom with their own setups and restrictions.You understand that if you enter an admin account you can change the startup for Tom and the restrictions ,let's say the old restrictions...you know that better!But the point is if you use the autolog-on function in windows...it is the same thing as if you want that guest account have permission to the system without the logon prompt...You know that you can run guest account  with the default startup for this account in windows and every time you specify something in this account it will disappear the next time you enter the account-it's guest account ,it must not have its own specific profile!
So if you have a network or internet and your standalone pc enters the network sometimes-then i will recommend that you disable the autologon,cuz it's unsecure!!!
Let's say your pc is really standalone:no network ,nor internet!,so if you want to keep this autolog-on function,why don't you make the restrictions and the specific startup under the local machine account.Use any startup manager or even easy the regedit.exe goto the node :
\HKEY_Local_Machine\Software\Windows\CurrentVersion\Run(for Win2k!!!;in WinXP can be little different!) and there you can make the link to you registry file/script for this speciffic startup will take affect under all of the accounts on your system:Warning!...You can then make the restrictions you want to make for the user account under the local machine account for to take effect.


What was the Warning about:
1)how many user restrictions did you make;i mean : 1.1) do you have only one restriction/startup
for user account and one for admin account or 1.2) you have different user accounts and every account has its own specific startup/restrictions.If is the second then you have no chance with autologon.If it's the first then read furthur.

2)If you make this restrictions under local machine than i'm not sure that you can enter your admin account with its own startup/restrictions ,cuz local machine is hierarchically stronger than the admin account.Probably it will become a mess;so just try and find out what will happen:make the restrictions/autostart for all accounts under local machine - if everything works fine-enter again your admin account as normal and see what will happen afterall,but see
it's dangerous for it could happen that you can't work properly under the admin accoun(i doubt it, but it's windows: you don't know what will happen ,till it occurs).So ,i don't whant that you will reinstall the whole system afterall !
ADVICE: simulate the whole thing on another pc that is not so importaint and find out what will happen.DO NOT PLAY WITH YOUR SYSTEM!I know that the system account is also hierchically stronger than the admin account ,i don't know if it's separated from the local machine account.You can start the system account with the task scheduler ,but see if you make a standalone pc with no restrictions for task scheduler for everyone that can enter the system account-it's everything but secure system!

3)  THEESE ARE MY ADVICES AND I AM NOT 100% SURE WHAT WILL HAPPEN IF...,SO DON'T PLAY WITH YOUR SYSTEM!
 

My advice for sure is, that you go further useing you log-on function,just forget about this autolog-on it's not secure!

OK, if i find something more i'll post it straight away here.
Good luck!

till later
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question