60632649 (banned) join:2003-09-29 New York, NY |
to SipSizzurp
Re: [XPPro] Run batch file per user loginsaid by SipSizzurp:said by 60632649:The option is Local Computer Policy... Windows Settings... User Configuration... Scripts (Logon/Logoff), that's global for all users, the method for doing it for specific users has already been mentioned in this thread.
Edit: You'll need to make sure that all the users have access to that script or whatever's being executed. Also give the full path filename in gpedit, the script will also need to do a change directory if it's expecting files to be available in it's current directory.
If you want to be extra secure and it's a batch file, path out cmd.exe in gpedit, such as c:\windows\system32\cmd.exe /c c:\temp\usefulstuff.bat option1 option2 Thanks for the extra insight. I had found the gpedit Logon/Logoff option, but when I tried to use the Logoff option the browser would lose connection to the internet. My test machine is running DeepFreeze, so I think that snag may have been due to a conflict with some of the permission modifications that DeepFreeze uses. Maybe specifying the additional path info could have be a factor. I was planning to investigate further and update the thread, but got side tracked on some new diversions. Another problem I found was that my limited user account does not have permission to execute IPsec commands, which really threw a monkey wrench into my plans. Now I am trying to do everything from the admin user account ; Enable port 80 at logon and disable it a logoff. Your plans seem pretty simple, that's disable internet access for some people at a certain period of time. I'm not going to write this for you, I have no interest in it. However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it. |
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX |
said by 60632649:However, have you considered blocking at a step away, at the hardware level... Seems to me that it's your job, so deal with it. I can easily block it at the router but then I would have to teach the user how to program the router. I prefer a more seamless solution for this installation. If I can figure out how to run IPsec commands from a limited user account then this would all be very easy. MY work load seems to come in waves, so in a couple more days I should have the time to make a test machine and have another go at the configs. Thanks ! |
|
SipSizzurp |
to 60632649
said by 60632649:I'm not going to write this for you, I have no interest in it. Manually running the batch file without using the GPedit scheduler results in this ; Limited Account N:\Support Tools>block80
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
Error converting policy: 0x5
The command completed successfully.
From Admin account ; N:\Support Tools>block80
N:\Support Tools>IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block O
utbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
The command completed successfully.
Take you time drumming up interest. It will be a at least a week before I can play with it again. Notice that the limited user account has the error "Error converting policy: 0x5" which keeps it from working. I'll update accordingly. Thanks ! :) |
|
|
Can you run it as a scheduled task using the admin account? |
|
your moderator at work
hidden : Trolling hidden : Trolling
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX |
to LLigetfa
Re: [XPPro] Run batch file per user loginsaid by LLigetfa:Can you run it as a scheduled task using the admin account? Yes, I have been doing that as a work around and it works. Problem is that the elevated users do not always follow the set work schedule that the scheduled task is set for. From the admin account I need to successfully run the disable command at LogOff, and that is where I'm stuck. Still working on other options as time permits. I do have the router on a shedule to control that machine but it is a matter of time until the manager works late and needs internet to work. The log-off script from GPedit seems to destroy all internet activity permanently, and subsequently running the enable script does not fix it. I've been testing on my DeepFreeze machine and am afraid to test on the production machine until I know why it happens. I'm about to format up a fresh XP copy on a spare drive to further test. Thanks for your interest. This is the command I run from a batch file. If I could permanently apply that to only the limited user and not to the admin account then I could eliminate all the switching. IPSeccmd.exe -w REG -p "Block TCP 80 Outbound Filter" -r "Block Outbound TCP 80 Rule" -f 0=*:80:TCP -n BLOCK -x
|
|
|
Schedule it to run at logon and check that it is the peon account logging on. |
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX |
said by LLigetfa:Schedule it to run at logon and check that it is the peon account logging on. I just tried that with no success. I tried all of these combinations ; 1 - When logged on as admin, schedule a logon task with limited user credentials. Task would not create due to mismatched creds. 2 - When logged on as admin, schedule a logon task with admin creds. This works as expected, but does not affect the the LUA login. 3 - When logged on as LUA create a task that blocks port 80 using LUA credentials. IPsec will not run due to lack of privileges. 4 - When logged on as LUA create a task that blocks port 80 using Admin creds. Task will not create due to credential problem. Now I am looking for a whole new approach. Maybe even an automated script to re-program the router, but that might get a bit hairier than this project calls for. |
|
your moderator at work
hidden :
|
|
to SipSizzurp
Re: [XPPro] Run batch file per user loginsaid by SipSizzurp:said by LLigetfa:Schedule it to run at logon and check that it is the peon account logging on. I just tried that with no success. I tried all of these combinations ; 1 - When logged on as admin, schedule a logon task with limited user credentials. Task would not create due to mismatched creds. 2 - When logged on as admin, schedule a logon task with admin creds. This works as expected, but does not affect the the LUA login. 3 - When logged on as LUA create a task that blocks port 80 using LUA credentials. IPsec will not run due to lack of privileges. 4 - When logged on as LUA create a task that blocks port 80 using Admin creds. Task will not create due to credential problem. Now I am looking for a whole new approach. Maybe even an automated script to re-program the router, but that might get a bit hairier than this project calls for. You run the task as Admin but edit the trigger for logon and user see attached |
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX 2 edits |
. I do not see that ability in XP, but I am understanding more about what does not work ! |
|
|
Sorry about the schedule task screenshot, that was from Windows 8 and should be about the same as windows 7. I though you were running windows 7 but i see it clearly states WinXP on the first post. As you pointed out not as many options in XP, i did not try it on XP. |
|