Announcement

Collapse
No announcement yet.

Family [User] Values...

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Family [User] Values...

    Ahh, the joys of Children. Mine are getting to the clever, inventive and subversive phase...

    Last year I gave them both identical computers (Athlon XP2200, 2GB of RAM, 40GB HDD, and DVD-ROMs). This year it was ATI 9800PRO Video cards, subscriptions to Toontown, bringing BeyondTV Link, and VOIP to their desktops. Also, since now their computers are becoming their primary means of entertainment and communication, the time has come for more oversight on how they use their computers...

    So here it is, kids:

    Code:
    NET USER "Luke R. Helton" ****** /ADD /ACTIVE:Yes /COMMENT:"Son" /COUNTRYCODE:0 /EXPIRES:Never /FULLNAME:"Luke R. Helton" /PASSWORDCHG:No /PASSWORDREQ:YES /TIMES:Su-Th,06:00-21:00;F-SA,06:00-22:00 /USERCOMMENT:"Restricted User"
 
NET USER "Rachel M. Helton" ****** /add  /ACTIVE:Yes /COMMENT:"Daughter" /COUNTRYCODE:0 /EXPIRES:Never /FULLNAME:"Rachel M. Helton" /PASSWORDCHG:No /PASSWORDREQ:YES /TIMES:Su-Th,06:00-21:00;F-SA,06:00-22:00 /USERCOMMENT:"Restricted User"
    To avoid Chronometer Errors and prevent inadvertent Regional Settings from being altered we have this:

    Code:
    cacls timedate.cpl /E /R "Luke R. Helton"
 
cacls timedate.cpl /E /R "Rachel M. Helton"
    To ensure the smooth and consistent operation of the system and to prevent possible malicious operations, we have the following safeguards in place for the "Luke R. Helton" and "Rachel M. Helton" Accounts:

    Code:
    REG ADD HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    All Children need plenty of sleep: to ensure that they don't stray too far from their bedtimes, there are Several Reminders before the next step:

    Code:
    @ECHO OFF
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                                                                           ::
::                     Script to Add AT Jobs for Logoffs                     ::
::                 ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
AT 21:00 /INTERACTIVE /EVERY:Su,M,T,W,Th C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 10 1st.
AT 21:05 /INTERACTIVE /EVERY:Su,M,T,W,Th C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 5 2nd.
AT 21:09 /INTERACTIVE /EVERY:Su,M,T,W,Th C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 1 Final
AT 21:10 /INTERACTIVE /EVERY:Su,M,T,W,Th C:\WINDOWS\Tools\Scripts\User_Logoff.cmd
AT 22:00 /INTERACTIVE /EVERY:F,S C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 10 1st.
AT 22:05 /INTERACTIVE /EVERY:F,S C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 5 2nd.
AT 22:09 /INTERACTIVE /EVERY:F,S C:\WINDOWS\Tools\Scripts\User_Check_X.cmd 1 Final
AT 22:10 /INTERACTIVE /EVERY:F,S C:\WINDOWS\Tools\Scripts\User_Logoff.cmd
:END
    Code:
    @ECHO OFF
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                 ::
::           Script to Log Off Users at the Scheduled Time... Hehe.          ::
::                            x Minute Warning.                             ::
::                 ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SETLOCAL
SET TIMER=%1
SET WARNING=%2
ECHO %TIMER%
FOR /F "tokens=* eol=;" %%a IN (C:\WINDOWS\Tools\Users\Users.txt) DO CALL :MAIN %%a %TIMER% %WARNING%
 
:MAIN
SET USER_ID=%1
SET TIMEWAIT=%2
SET WARNING_FLAG=%3
SET USER_ID=%USER_ID:~1,-1%
FOR /F "tokens=3" %%b IN ('NET USER "%USER_ID%" ^| FIND /I "account active"') DO GOTO CHECKLOGON
SET TIMER=0
SET USER_ID=0
ENDLOCAL
GOTO END
 
:CHECKLOGON
FOR /F "tokens=2 delims==" %%c IN ('NETSH DIAG SHOW COMPUTER /v ^| FIND /I "username"') DO SET COMPUTER_USER_STRING=%%c
SET COMPUTER_USER_STRING=%COMPUTER_USER_STRING:~1%
FOR /F "tokens=2 delims=\" %%d IN ("%COMPUTER_USER_STRING%") DO SET LOGGED-IN_USER=%%d
SET LOGGED-IN_USER=%LOGGED-IN_USER:~0,-1%
IF "%LOGGED-IN_USER%" EQU "%USER_ID%" GOTO LOGOFF_ROUTINE
GOTO END
 
:LOGOFF_ROUTINE
C:\WINDOWS\Tools\bin\WAV.exe C:\WINDOWS\Tools\Sounds\Space_SysExit.wav
C:\WINDOWS\Tools\bin\NIRCMDC.exe qboxcom "The time is now %TIME%: You will be logged off in %TIMEWAIT% minutes; Do you want to Logoff now?" "LOGOFF NOTIFICATION: %WARNING_FLAG% Warning: %USERNAME%, please Logoff..." exitwin logoff forceifhung
 
:END
    And Children, don't think for a minute you weren't warned before...

    Code:
    @ECHO OFF
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::                 ::
::           Script to Log Off Users at the Scheduled Time... Hehe.          ::
::                             No Warning logoff.                            ::
::                 ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SETLOCAL
FOR /F "tokens=* eol=;" %%a IN (C:\WINDOWS\Tools\Users\Users.txt) DO CALL :MAIN %%a %TIMER% %WARNING%
 
:MAIN
SET USER_ID=%1
SET USER_ID=%USER_ID:~1,-1%
FOR /F "tokens=3" %%b IN ('NET USER "%USER_ID%" ^| FIND /I "account active"') DO GOTO CHECKLOGON
SET TIMER=0
SET USER_ID=0
ENDLOCAL
GOTO END
 
:CHECKLOGON
FOR /F "tokens=2 delims==" %%c IN ('NETSH DIAG SHOW COMPUTER /v ^| FIND /I "username"') DO SET COMPUTER_USER_STRING=%%c
SET COMPUTER_USER_STRING=%COMPUTER_USER_STRING:~1%
FOR /F "tokens=2 delims=\" %%d IN ("%COMPUTER_USER_STRING%") DO SET LOGGED-IN_USER=%%d
SET LOGGED-IN_USER=%LOGGED-IN_USER:~0,-1%
IF "%LOGGED-IN_USER%" EQU "%USER_ID%" GOTO LOGOFF_ROUTINE
GOTO END
 
:LOGOFF_ROUTINE
C:\WINDOWS\Tools\bin\NIRCMDC.exe exitwin logoff forceifhung
 
:END
    Good Night, Kids!
    Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine
    Tags: None
  • #2
    You know, if you just set up a domain you could do all that with group policy and save yourself the coding.
    The Internet - where men are men, women are men, and teenage girls are FBI agents!

    I'm the least you could do
    If only life were as easy as you
    I'm the least you could do, oh yeah
    If only life were as easy as you
    I would still get screwed

    Comment

    • #3
      Not quite all of it...

      The forcible Logoff would still have to be scripted.

      I actually do have a domain; I don't have the kids as members right now.
      Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

      Comment

      • #4
        I don't suppose you'd like to explain what that code does line by line.
        Chuck
         秋音的爸爸

        Comment

        • #5
          The first lines are creating the users with Day/Time login restrictions... you can alter users by omitting the password (after the username) and the /ADD switch. There are settings in there for making the user active and controlling whether or not the user can change their own password and such.

          Details can be found here.

          The next area with the cacls.exe commands specifically Denies access the Time/Date Control panel applet in the Control Panel...

          The REG ADD Commands, which have to be applied to each user Profile (NTUSER.dat) will restrict access to the Command Line, Disable Regedit, Disable Task Manager and hide the Run portion of the Start Menu. As Gurm pointed out, these are settings which are more easily meted out via Group Policy in a Domain.

          The AT jobs call a couple of scripts which warn the user of an impending logoff. (10 minute delay, 5 minute delay, one minute for the next to last script) then finally the hammer drops (invoking the final logoff script).

          The logoff warning scripts use Nir Sofer's NIRCMDC.exe, which is a pretty nifty utility for administering Windows. These scripts also use NETSH to find the logged in console User. If there is no logged-in user, nothing happens. If the Logged-in user is on the Restricted List, they will be warned and logged-off. This functionality is not available in Group Policy without a 3rd party tool. Without such a tool, a user can say logged-in indefinitely on a local PC, even past their account expiration. The only recourse is to reboot the box, or initiate a manual logoff.
          Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

          Comment

          • #6
            Vista has parent controls that can do all that for you. Of course, I hate Vista at the moment so...
            “Inside every sane person there’s a madman struggling to get out”
            –The Light Fantastic, Terry Pratchett

            Comment

            • #7
              The controls in Vista are nearly identical to what is presented here with few exceptions. The only thing "New" is a GUI to do it with on a Per-User basis on a Local Machine without mounting with the user's NTUSER.DAT file. In Vista, they did this by replacing the hexidecimal file format of the Registry with an XML-based one which allows editing without "mounting" the file in regedit.

              The dirty little secret of Group Policy is that it is a collection of registry hacks associated with a SID which are applied at logon. Sometimes, things can go very wrong when policies are applied over other policies: Microsoft created a tool to handle this; The Resulting Set of Policies tool is a "player" which applies policies to a workstation and checks the results as each policy is applied. This allows an administrator to catch flaws which might be created when all policies are applied at logon - you don't have any control as to what order they are applied, but the RSOP allows you to playback the "what-ifs".

              If you are an administrator on a Domain Workstation, Cruise on over to C:\WINDOWS\System32\and look in the Hidden Folder named GroupPolicy; open any and all *.pol files in Notepad to see what pathways they use. Don't have a Domain? Open up a Group Policy Template with Notepad and start looking around. I have yet to see a policy which could not be duplicated using the REG ADD command.
              Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

              Comment

              • #8
                Just wait till Kiddies decide to lock out daddy.
                Chief Lemon Buyer no more Linux sucks but not as much
                Weather nut and sad git.

                My Weather Page

                Comment

                • #9
                  The Kiddies aren't Admins... and Daddy has his Windows PE Image to fall back on...
                  Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

                  Comment

                  • #10
                    I'll never forget the day I added the automatic internet disconnect from my Linksys router to my son's computer For weeks, we had been telling him to get off. He would always wait until we yelled at him to get off, usually 5-10 minutes after the agreed upon time.

                    Finally, I turned it on and he was booted promptly at 9pm At first he thought it was something wrong with his puter, but then he saw the big shit-eatin-grin I had on my face and knew We never had a problem again and everyone lived happily ever after (yeah right).

                    Fast forward to today. Now he is 18, so I bought him his own laptop and I don't monitor what he downloads, looks at, finds, etc...but I do boot him off still by 11pm. I don't want him staying up all hours of the night finding shit he doesn't need to find. When he moves out, he can decide what he wants to do.
                    Ladies and gentlemen, take my advice, pull down your pants and slide on the ice.

                    Comment

                    Previous template Next
                    Working...
                    X