dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5228
share rss forum feed

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

[XPPro] Run batch file per user login

I am trying to run batch files based on the user that logs into Windows.

If user #1 logs in I want to run batch1.bat
If user #2 logs in I want to run batch2.bat

The startup folder and the current user run reg keys apply to all users who log in.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:2

I don't have an XP machine handy right now, but I thought there was a specific startup folder per profile, located somewhere in this directory area

C:\Documents and Settings\User\something....\Start Menu\Programs\Startup.

In Windows 7 (for reference), the path is

C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Each user should have that folder structure. If you place shortcuts in that location, it should only run when a given user logs in.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


wolfy339

join:2005-04-30
Edmonds, WA

or use [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] for each user


OZO
Premium
join:2003-01-17
kudos:2
reply to plencnerb

The proper syntax for user-specific folder (where you may put BAT file) is this:
%USERPROFILE%\Start Menu\Programs\Startup
It should work in any Windows OS.

--
Keep it simple, it'll become complex by itself...


LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1
reply to SipSizzurp

said by SipSizzurp:

The startup folder and the current user run reg keys apply to all users who log in.

They are individual startup folders for each user and HKCU is just smoke and mirrors of HKU\@SID.
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to OZO

said by OZO:

The proper syntax for user-specific folder (where you may put BAT file) is this:
%USERPROFILE%\Start Menu\Programs\Startup

Ahh yes, so it is. I would like to do this from the registry since one of the users is a "power user" and may find the startup folder. I think the info provided should get me going. I will be testing later this evening.

Thanks to everyone !

LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1

If the user who's HKCU you are targeting is not logged on locally, you can load that person's hive to edit. If the user is logged on, the hive will be loaded and you can edit it remotely.
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey



mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter

1 edit
reply to SipSizzurp

Click for full size
If you want a different script for each user then you add it the user profile.

See her for more details
»technet.microsoft.com/en-us/libr···314.aspx

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

1 edit

said by mmainprize:

If you want a different script for each user then you add it the user profile.

Yes, that is exactly what I need. Your additional screen shot will help.

I had been waiting until I had a working solution to the problem in place before updating the thread, but the detail of what I need to accomplish is as follows ;

I have 1 computer that is shared by the day shift and the night shift. The day shift is administrator level that needs no restriction and needs 100% access. The night shift needs to be restricted as much as possible, both with internet access and computer modification.

I now have two batch files based on IPSec rules that enable or disable port 80. When the day shift logs in I want to run the port 80 enable batch file. When the night shift logs in I want to run the port 80 block batch file.


60632649
Premium
join:2003-09-29
New York, NY

2 edits
reply to SipSizzurp

This can be done in Group Policy Editor... gpedit.msc. Start it with Start...Run... gpedit.msc.

The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.

Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.

If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2

Open up a cmd prompt and do cmd /? for some help.
Also deny write access to the directory and anything in it that you don't want the user's writing to. Easy with NTFS.



60632649
Premium
join:2003-09-29
New York, NY
reply to SipSizzurp

Check out set /?

You can parse the results of %time% and %date% in batch file to run things according to what you deem necessary. The file for security should maybe do a setlocal, set the format to something specific, parse and execute, then endlocal, though the latter's probably not necessary since the script will end and it has it's own environment.


SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to 60632649

said by 60632649:

The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.

Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.

If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2

Thanks for the extra insight. I had found the gpedit Logon/Logoff option, but when I tried to use the Logoff option the browser would lose connection to the internet. My test machine is running DeepFreeze, so I think that snag may have been due to a conflict with some of the permission modifications that DeepFreeze uses. Maybe specifying the additional path info could have be a factor. I was planning to investigate further and update the thread, but got side tracked on some new diversions.

Another problem I found was that my limited user account does not have permission to execute IPsec commands, which really threw a monkey wrench into my plans. Now I am trying to do everything from the admin user account ; Enable port 80 at logon and disable it a logoff.


60632649
Premium
join:2003-09-29
New York, NY

said by SipSizzurp:

said by 60632649:

The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.

Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.

If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2

Thanks for the extra insight. I had found the gpedit Logon/Logoff option, but when I tried to use the Logoff option the browser would lose connection to the internet. My test machine is running DeepFreeze, so I think that snag may have been due to a conflict with some of the permission modifications that DeepFreeze uses. Maybe specifying the additional path info could have be a factor. I was planning to investigate further and update the thread, but got side tracked on some new diversions.

Another problem I found was that my limited user account does not have permission to execute IPsec commands, which really threw a monkey wrench into my plans. Now I am trying to do everything from the admin user account ; Enable port 80 at logon and disable it a logoff.

Your plans seem pretty simple, that's disable internet access for some people at a certain period of time. I'm not going to write this for you, I have no interest in it. However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it.

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

said by 60632649:

However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it.

I can easily block it at the router but then I would have to teach the user how to program the router. I prefer a more seamless solution for this installation. If I can figure out how to run IPsec commands from a limited user account then this would all be very easy. MY work load seems to come in waves, so in a couple more days I should have the time to make a test machine and have another go at the configs.
Thanks !

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to 60632649

said by 60632649:

I'm not going to write this for you, I have no interest in it.

Manually running the batch file without using the GPedit scheduler results in this ;

Limited Account
N:\Support Tools>block80
 
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
Error converting policy: 0x5
 
The command completed successfully.
 

From Admin account ;
N:\Support Tools>block80
 
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
 
The command completed successfully.
 

Take you time drumming up interest. It will be a at least a week before I can play with it again. Notice that the limited user account has the error "Error converting policy: 0x5" which keeps it from working. I'll update accordingly.
Thanks ! :)

LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1

Can you run it as a scheduled task using the admin account?

Expand your moderator at work

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to LLigetfa

Re: [XPPro] Run batch file per user login

said by LLigetfa:

Can you run it as a scheduled task using the admin account?

Yes, I have been doing that as a work around and it works. Problem is that the elevated users do not always follow the set work schedule that the scheduled task is set for.

From the admin account I need to successfully run the disable command at LogOff, and that is where I'm stuck. Still working on other options as time permits. I do have the router on a shedule to control that machine but it is a matter of time until the manager works late and needs internet to work.

The log-off script from GPedit seems to destroy all internet activity permanently, and subsequently running the enable script does not fix it. I've been testing on my DeepFreeze machine and am afraid to test on the production machine until I know why it happens. I'm about to format up a fresh XP copy on a spare drive to further test. Thanks for your interest.

This is the command I run from a batch file. If I could permanently apply that to only the limited user and not to the admin account then I could eliminate all the switching.
IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block Outbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
 

LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1

Schedule it to run at logon and check that it is the peon account logging on.


SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

said by LLigetfa:

Schedule it to run at logon and check that it is the peon account logging on.

I just tried that with no success. I tried all of these combinations ;

1 - When logged on as admin, schedule a logon task with limited user credentials. Task would not create due to mismatched creds.

2 - When logged on as admin, schedule a logon task with admin creds. This works as expected, but does not affect the the LUA login.

3 - When logged on as LUA create a task that blocks port 80 using LUA credentials. IPsec will not run due to lack of privileges.

4 - When logged on as LUA create a task that blocks port 80 using Admin creds. Task will not create due to credential problem.

Now I am looking for a whole new approach. Maybe even an automated script to re-program the router, but that might get a bit hairier than this project calls for.
Expand your moderator at work

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to SipSizzurp

Re: [XPPro] Run batch file per user login

Click for full size
Problem solved. Do you think this might cause other issues ? The LUA account seems to work properly otherwise. I can even select "Run As" and provide the admin creds and it works anyway.

LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1
reply to SipSizzurp

What prevents the user from installing and using Chrome?


SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

Click for full size
said by LLigetfa:

What prevents the user from installing and using Chrome?

I justa saiz "Oops Upside Your Head"

»www.youtube.com/watch?v=JlMIzAl_nDo


If they can't take a hint then I'll just bust out some Faronics Anti-executable on their nasty azzes.


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to SipSizzurp

Click for full size
said by SipSizzurp:

said by LLigetfa:

Schedule it to run at logon and check that it is the peon account logging on.

I just tried that with no success. I tried all of these combinations ;

1 - When logged on as admin, schedule a logon task with limited user credentials. Task would not create due to mismatched creds.

2 - When logged on as admin, schedule a logon task with admin creds. This works as expected, but does not affect the the LUA login.

3 - When logged on as LUA create a task that blocks port 80 using LUA credentials. IPsec will not run due to lack of privileges.

4 - When logged on as LUA create a task that blocks port 80 using Admin creds. Task will not create due to credential problem.

Now I am looking for a whole new approach. Maybe even an automated script to re-program the router, but that might get a bit hairier than this project calls for.

You run the task as Admin but edit the trigger for logon and user
see attached

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

2 edits

.
I do not see that ability in XP, but I am understanding more about what does not work !


60632649
Premium
join:2003-09-29
New York, NY

1 recommendation

reply to SipSizzurp

You might want to try running the program or batch file with the runas command, it'll allow a program to be run with a different user context. The problem might be the password on the account , the password has to be stored somewhere. You might be better off making a user group that has the required permissions to run everything in the first place then associating that group to all the users.

runas is generally in [boot drive]windows/system32

C:\TEMP>runas /?
 
RUNAS USAGE:
 
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program
 
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program
 
   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
                     smartcard.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples
 
Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
 
NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.
 

You can pump in the password using redirection but it has to come from somewhere and the user context wont be setup properly yet to make it read only. You could schedule a task that runs every minute or whatever and type the password in yourself on scheduling,

cmd.exe "... \pw\password.txt"
that sort of thing.


60632649
Premium
join:2003-09-29
New York, NY

1 edit

1 recommendation

reply to SipSizzurp

If you use the /savecred switch it'll save the password then using the /savecred switch again, it'll be on auto pilot.

runas /noprofile /savecred /user:mymachine\administrator cmd

That first time you'll have to enter the password.

Then the other times through login/logout scripts
runas /noprofile /savecred /user:mymachine\administrator cmd

That might do it.


SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

Mohito, thanks a lot for going into this amount of detail. A lot of this stuff is just below the surface of what I am familiar with. I will spend some time configuring with these options and it looks like it will help quite a lot.