SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | [XPPro] Run batch file per user login I am trying to run batch files based on the user that logs into Windows.
If user #1 logs in I want to run batch1.bat
If user #2 logs in I want to run batch2.bat
The startup folder and the current user run reg keys apply to all users who log in. |
|
 plencnerbPremium
join:2000-09-25
Elgin, IL
kudos:2 | I don't have an XP machine handy right now, but I thought there was a specific startup folder per profile, located somewhere in this directory area
C:\Documents and Settings\User\something....\Start Menu\Programs\Startup.
In Windows 7 (for reference), the path is
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Each user should have that folder structure. If you place shortcuts in that location, it should only run when a given user logs in.
--Brian
--
============================
--Brian Plencner
E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail |
|
| or use [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] for each user |
|
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to plencnerb
The proper syntax for user-specific folder (where you may put BAT file) is this:
%USERPROFILE%\Start Menu\Programs\Startup
It should work in any Windows OS.
--
Keep it simple, it'll become complex by itself... |
|
LLigetfa
join:2006-05-15
Fort Frances, ON
kudos:1 | reply to SipSizzurp
said by SipSizzurp:The startup folder and the current user run reg keys apply to all users who log in.
They are individual startup folders for each user and HKCU is just smoke and mirrors of HKU\@SID.
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to OZO
said by OZO:The proper syntax for user-specific folder (where you may put BAT file) is this:
%USERPROFILE%\Start Menu\Programs\Startup
Ahh yes, so it is. I would like to do this from the registry since one of the users is a "power user" and may find the startup folder. I think the info provided should get me going. I will be testing later this evening.
Thanks to everyone ! |
|
LLigetfa
join:2006-05-15
Fort Frances, ON
kudos:1 | If the user who's HKCU you are targeting is not logged on locally, you can load that person's hive to edit. If the user is logged on, the hive will be loaded and you can edit it remotely.
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey |
|
1 edit | reply to SipSizzurp
If you want a different script for each user then you add it the user profile.
See her for more details
»technet.microsoft.com/en-us/libr···314.aspx |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4
1 edit | said by mmainprize:If you want a different script for each user then you add it the user profile.
Yes, that is exactly what I need. Your additional screen shot will help.
I had been waiting until I had a working solution to the problem in place before updating the thread, but the detail of what I need to accomplish is as follows ;
I have 1 computer that is shared by the day shift and the night shift. The day shift is administrator level that needs no restriction and needs 100% access. The night shift needs to be restricted as much as possible, both with internet access and computer modification.
I now have two batch files based on IPSec rules that enable or disable port 80. When the day shift logs in I want to run the port 80 enable batch file. When the night shift logs in I want to run the port 80 block batch file. |
|
 60632649Premium
join:2003-09-29
New York, NY
2 edits | reply to SipSizzurp
This can be done in Group Policy Editor... gpedit.msc. Start it with Start...Run... gpedit.msc.
The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.
Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.
If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2
Open up a cmd prompt and do cmd /? for some help.
Also deny write access to the directory and anything in it that you don't want the user's writing to. Easy with NTFS. |
|
60632649Premium
join:2003-09-29
New York, NY | reply to SipSizzurp
Check out set /?
You can parse the results of %time% and %date% in batch file to run things according to what you deem necessary. The file for security should maybe do a setlocal, set the format to something specific, parse and execute, then endlocal, though the latter's probably not necessary since the script will end and it has it's own environment. |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to 60632649
said by 60632649:The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.
Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.
If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2 Thanks for the extra insight. I had found the gpedit Logon/Logoff option, but when I tried to use the Logoff option the browser would lose connection to the internet. My test machine is running DeepFreeze, so I think that snag may have been due to a conflict with some of the permission modifications that DeepFreeze uses. Maybe specifying the additional path info could have be a factor. I was planning to investigate further and update the thread, but got side tracked on some new diversions.
Another problem I found was that my limited user account does not have permission to execute IPsec commands, which really threw a monkey wrench into my plans. Now I am trying to do everything from the admin user account ; Enable port 80 at logon and disable it a logoff. |
|
60632649Premium
join:2003-09-29
New York, NY | said by SipSizzurp:said by 60632649:The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.
Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.
If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as
c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2 Thanks for the extra insight. I had found the gpedit Logon/Logoff option, but when I tried to use the Logoff option the browser would lose connection to the internet. My test machine is running DeepFreeze, so I think that snag may have been due to a conflict with some of the permission modifications that DeepFreeze uses. Maybe specifying the additional path info could have be a factor. I was planning to investigate further and update the thread, but got side tracked on some new diversions. Another problem I found was that my limited user account does not have permission to execute IPsec commands, which really threw a monkey wrench into my plans. Now I am trying to do everything from the admin user account ; Enable port 80 at logon and disable it a logoff. Your plans seem pretty simple, that's disable internet access for some people at a certain period of time. I'm not going to write this for you, I have no interest in it. However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it. |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | said by 60632649:However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it.
I can easily block it at the router but then I would have to teach the user how to program the router. I prefer a more seamless solution for this installation. If I can figure out how to run IPsec commands from a limited user account then this would all be very easy. MY work load seems to come in waves, so in a couple more days I should have the time to make a test machine and have another go at the configs.
Thanks ! |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to 60632649
said by 60632649:I'm not going to write this for you, I have no interest in it. Manually running the batch file without using the GPedit scheduler results in this ;
Limited Account
N:\Support Tools>block80
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
Error converting policy: 0x5
The command completed successfully.
From Admin account ;
N:\Support Tools>block80
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
The command completed successfully.
Take you time drumming up interest. It will be a at least a week before I can play with it again. Notice that the limited user account has the error "Error converting policy: 0x5" which keeps it from working. I'll update accordingly.
Thanks ! :) |
|
LLigetfa
join:2006-05-15
Fort Frances, ON
kudos:1 | Can you run it as a scheduled task using the admin account? |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to LLigetfa
Re: [XPPro] Run batch file per user loginsaid by LLigetfa:Can you run it as a scheduled task using the admin account?
Yes, I have been doing that as a work around and it works. Problem is that the elevated users do not always follow the set work schedule that the scheduled task is set for.
From the admin account I need to successfully run the disable command at LogOff, and that is where I'm stuck. Still working on other options as time permits. I do have the router on a shedule to control that machine but it is a matter of time until the manager works late and needs internet to work.
The log-off script from GPedit seems to destroy all internet activity permanently, and subsequently running the enable script does not fix it. I've been testing on my DeepFreeze machine and am afraid to test on the production machine until I know why it happens. I'm about to format up a fresh XP copy on a spare drive to further test. Thanks for your interest.
This is the command I run from a batch file. If I could permanently apply that to only the limited user and not to the admin account then I could eliminate all the switching.
IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block Outbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
|
|
LLigetfa
join:2006-05-15
Fort Frances, ON
kudos:1 | Schedule it to run at logon and check that it is the peon account logging on. |
|
