[Webinar] Learn how to a build a cloud-first strategyRegister Now


How do I run login scripts and not allow batch files or command line being run?

Posted on 2009-02-23
Medium Priority
Last Modified: 2012-08-14
Students are creating text document from the desktop, putting command.com in the first line of the file and saving the file as a batch file, .bat extension. Then their running it and getting to teacher files. I'm running a Windows Server 2003 Domain with XP clients. I need to 1) stop students from running the command line  2) stop the command line from running when a batch file is started 3) map shared printers for the students, and 4) map 1 shared network drive. Here's what I've done (with alot help from searching the knowledgebase at this site).

1) Under studentusers OU - I enabled "Prevent access to the command prompt" under User Config --> Administrative Templates --> System. The toggle for "Disable the command prompt processing also?" I have set to "Yes".

This fixes the problem with the command prompt AND the batch file on the desktop. The command prompt cannot be run either way. This takes care of the first 2 problems I'm having. But by not allowing a batch file to run I had no printers or shared drives being mapped for the students to use, because I was use a batch file with netuse to map the drives. So....

2) Under studentcomputers OU I went to Computer Configuration --> Windows Settings --> Scripts --> Startup. I added 2 scripts, 1 that maps network printers once a user logs in, and another one that maps one shared network drive. I then went into the properties of the individual user and deleted the logon_script on the "User Profile" page. This forces the 2 scripts to run at logon under computer config and should set everything up for the user - my problem it is not.

The printers show up, but if a teacher needed access to her printer, the teacher printers won't show up. Following is a vbscript that works for adding the student printers.

Script 1

' VBScript.
Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\CCHSFP1\MCIBM1130"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABHPLJ4200"
net.AddWindowsPrinterConnection "\\CCHSFP1\LABCOLOR"

'Set default printer based on first 3 letters of computer name

Select Case left(net.ComputerName,3)

  Case "LAB"
    net.SetDefaultPrinter "\\CCHSFP1\LABHPLJ4200"

  Case "MED"
    net.SetDefaultPrinter "\\CCHSFP1\MCIBM1130"  

End Select

Script 2 - net use command I use for adding the drives in a batch file.
net use s: \\cchsfp1\shared

I also need this to work or switch it to a vbscript so it works when a student logs on. Teachers will log onto the same machine and their drives and printers need to be completely different.
Question by:jim34
  • 4
  • 3
LVL 47

Accepted Solution

Donald Stewart earned 750 total points
ID: 23714305
I would then use software restriction policies
How To Use Software Restriction Policies in Windows Server 2003

Author Comment

ID: 23715743
I moved the 2 vbscripts - 1 adding the printers and 1 for adding the networked share drive) from the computer config side to the user config side under User Config --> Windows Settings --> Scripts --> Logon and it works fine.

vbscripts don't need the command.exe to execute. It's only startup scripts using the command line that I blocked under computer config. So...I'm good.

LVL 85

Expert Comment

ID: 23716904
You actually have another problem that is only partially covered up by blocking the command shell. If your students can access the teacher files by using the command shell, then your NTFS security is incorrect. You should not block how they accessed - you should block access as such. With missing NTFS permissions, there are more ways than just the command shell to access files they shouldn't have access to.

And you need to differentiate between logon scripts and startup scripts. Logon scripts are run during user logon, in the user's security context. Startup script are run during the computer's boot, and will be executed in the local system's security context.
Anything user related (mapped drives, network printers, access to HKCU, ...) has to be done in logon scripts, not in startup scripts.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 23726285
I should have said teacher folders instead of files. No students have gotten inside the teacher folders, I just want to make sure every way I can to secure the teacher files. The harder it is for them to get there the more secure everything is I figure. Only the domain user, administrator group, creater owner group, and system group have any access at all to files inside that folder.
LVL 85

Assisted Solution

oBdA earned 750 total points
ID: 23726402
That sounds okay then. Assuming that these folders are on a server (running W2k3 SP1 or later) somewhere, you can activate Access Based Enumeration (http://www.microsoft.com/Downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en) for the share; this will hide folders that they don't have access for.
Note that the ABE download above only installs the management tools (a new tab in the share properties in Explorer and abecmd.exe, plus some documentation), the ABE functionality itself is included in W2k3 since SP1.

Author Comment

ID: 23749862
This says the supported OS is Windows Server 2003 Service Pack 1, but I have Service Pack 2. Will this still work for me? I know your comment says SP1 or later. I just wanted to double-check. Will this stop students seeing the folders even in a command line interface?
LVL 85

Expert Comment

ID: 23750372
Yes, that will work on SP2 as well.
It will completely block enumeration of files and folders on a network drive (not for local drives, though!) for which the user does not have permissions (that is, any file/folder for which the user would get an "Access denied" should he try to open it).

Author Closing Comment

ID: 31550234
I used Software Restricition Policies. The only thing that bugs me about it is I used a path restricition for getting to cmd.exe. Well, by default, the students can access the file on that path and copy and paste it to another location - thus defeating the software restriction policy. I do have to deny the student group any rights to that file so they can't copy/move it, before the software restriction works.

I also used the shared folder enumeration.

I'm much more secure than last week. Thanks

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question