How do I run login scripts and not allow batch files or command line being run?

Posted on 2009-02-23
Last Modified: 2012-08-14
Students are creating text document from the desktop, putting in the first line of the file and saving the file as a batch file, .bat extension. Then their running it and getting to teacher files. I'm running a Windows Server 2003 Domain with XP clients. I need to 1) stop students from running the command line  2) stop the command line from running when a batch file is started 3) map shared printers for the students, and 4) map 1 shared network drive. Here's what I've done (with alot help from searching the knowledgebase at this site).

1) Under studentusers OU - I enabled "Prevent access to the command prompt" under User Config --> Administrative Templates --> System. The toggle for "Disable the command prompt processing also?" I have set to "Yes".

This fixes the problem with the command prompt AND the batch file on the desktop. The command prompt cannot be run either way. This takes care of the first 2 problems I'm having. But by not allowing a batch file to run I had no printers or shared drives being mapped for the students to use, because I was use a batch file with netuse to map the drives. So....

2) Under studentcomputers OU I went to Computer Configuration --> Windows Settings --> Scripts --> Startup. I added 2 scripts, 1 that maps network printers once a user logs in, and another one that maps one shared network drive. I then went into the properties of the individual user and deleted the logon_script on the "User Profile" page. This forces the 2 scripts to run at logon under computer config and should set everything up for the user - my problem it is not.

The printers show up, but if a teacher needed access to her printer, the teacher printers won't show up. Following is a vbscript that works for adding the student printers.

Script 1

' VBScript.
Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\CCHSFP1\MCIBM1130"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABHPLJ4200"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABCOLOR"

'Set default printer based on first 3 letters of computer name

Select Case left(net.ComputerName,3)

  Case "LAB"
    net.SetDefaultPrinter "\\CCHSFP1\LABHPLJ4200"

  Case "MED"
    net.SetDefaultPrinter "\\CCHSFP1\MCIBM1130"  

End Select

Script 2 - net use command I use for adding the drives in a batch file.
net use s: \\cchsfp1\shared

I also need this to work or switch it to a vbscript so it works when a student logs on. Teachers will log onto the same machine and their drives and printers need to be completely different.
Question by:jim34
    LVL 47

    Accepted Solution

    I would then use software restriction policies
    How To Use Software Restriction Policies in Windows Server 2003

    Author Comment

    I moved the 2 vbscripts - 1 adding the printers and 1 for adding the networked share drive) from the computer config side to the user config side under User Config --> Windows Settings --> Scripts --> Logon and it works fine.

    vbscripts don't need the command.exe to execute. It's only startup scripts using the command line that I blocked under computer config. So...I'm good.

    LVL 82

    Expert Comment

    You actually have another problem that is only partially covered up by blocking the command shell. If your students can access the teacher files by using the command shell, then your NTFS security is incorrect. You should not block how they accessed - you should block access as such. With missing NTFS permissions, there are more ways than just the command shell to access files they shouldn't have access to.

    And you need to differentiate between logon scripts and startup scripts. Logon scripts are run during user logon, in the user's security context. Startup script are run during the computer's boot, and will be executed in the local system's security context.
    Anything user related (mapped drives, network printers, access to HKCU, ...) has to be done in logon scripts, not in startup scripts.

    Author Comment

    I should have said teacher folders instead of files. No students have gotten inside the teacher folders, I just want to make sure every way I can to secure the teacher files. The harder it is for them to get there the more secure everything is I figure. Only the domain user, administrator group, creater owner group, and system group have any access at all to files inside that folder.
    LVL 82

    Assisted Solution

    That sounds okay then. Assuming that these folders are on a server (running W2k3 SP1 or later) somewhere, you can activate Access Based Enumeration ( for the share; this will hide folders that they don't have access for.
    Note that the ABE download above only installs the management tools (a new tab in the share properties in Explorer and abecmd.exe, plus some documentation), the ABE functionality itself is included in W2k3 since SP1.

    Author Comment

    This says the supported OS is Windows Server 2003 Service Pack 1, but I have Service Pack 2. Will this still work for me? I know your comment says SP1 or later. I just wanted to double-check. Will this stop students seeing the folders even in a command line interface?
    LVL 82

    Expert Comment

    Yes, that will work on SP2 as well.
    It will completely block enumeration of files and folders on a network drive (not for local drives, though!) for which the user does not have permissions (that is, any file/folder for which the user would get an "Access denied" should he try to open it).

    Author Closing Comment

    I used Software Restricition Policies. The only thing that bugs me about it is I used a path restricition for getting to cmd.exe. Well, by default, the students can access the file on that path and copy and paste it to another location - thus defeating the software restriction policy. I do have to deny the student group any rights to that file so they can't copy/move it, before the software restriction works.

    I also used the shared folder enumeration.

    I'm much more secure than last week. Thanks

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    This article describes some techniques which will make your VBA or Visual Basic Classic code easier to understand and maintain, whether by you, your replacement, or another Experts-Exchange expert.
    You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
    Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
    This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now