policies

Per Funke per.funke at hoe.se
Mon Feb 23 13:13:02 EST 1998 

Referring to the problem outlined below (in WindowsNT environment mind
you)....
If you want the users to run only one application, set it as a shell,
delete the rights
to read and execute c:\winnt\system32\taskmgr.exe for Everyone so they
can't
press Ctrl-Alt-Del and start new processes via the Taskmanager.
To fix this I would recommend you to
put the attached Own.adm (text follows below  this message, enter in a
.txt-file
with Notepad and change the name to Own.adm)
file in the c:\winnt\inf-directory.
Start the Policy Editor but do not open any policyfiles.
Click Options, Templates and then add Own.adm.
Stop and restart the policy editor. In all "Machine"-icons you will
now have the choice to check Autologin and to give the login-parameters,

all under the "Own Additions" key.
(Dont't forget to check the Network,System policies update,Remote policy
also,
otherwise policies won't work at all...)
You will also be able to enter a shell (eg "c:\program
files\netscape\communicator\program\netscape.exe " ) .
Save this file in c:\winnt\system32\repl\import\scripts\NTConfig.pol.
When the station is powered up, manually log in and out. The next time
the station is powered up
it logs in on the network automatically  and then starts
Netscape. There is just one snag, if the user succeeds in
halting Netscape they will be left with a green screen and no buttons or

help at all. To stop this from happening we have made small program that

starts the application and remembers the window title. As soon as that
window
is closed (=Netscape or whatever is stopped by mistake) the program
restarts
the application in a matter of seconds.
Then the line entered to start a shell is changed to:
"c:\util\st5.exe c:\program
files\netscape\communicator\program\netscape.exe c:\util"
where st5.exe is our little program and the "c:\util" at the other end
is the working dir.
If anyone needs this utility I think we can give it away. (The person
holding the
rights is not here this minute, I'll have to ask him first..)

There is already a choice to enter a shell-application in the
policyeditor's User-icon
but in this way nobody can log on to this machine and find anything else
but Netscape
because it is depending on the machine, not the user, if you follow the
above instructions.

By the way, the one application that is allowed to run can very well be
an menu
written i Visual Basic enabling the user to do other well-defined
things.
We use this approach in our library.

OK so here is the textfile OWN.ADM:

CLASS MACHINE

CATEGORY  !!Own
 POLICY !!AutoLogon
 KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
  VALUENAME AutoAdminLogon
  VALUEON "1" VALUEOFF "0"
  PART !!AutoL1     TEXT END PART
  PART !!AutoL2     TEXT END PART
  PART !!AutoL3     TEXT END PART
                PART !!DefaultDomain
EDITTEXT
                VALUENAME "DefaultDomainName"
  END PART
                PART !!DefaultUsr
EDITTEXT
                VALUENAME "DefaultUserName"
  END PART
                PART !!DefaultPwd
EDITTEXT
                VALUENAME "DefaultPassword"
  END PART
 END POLICY

 POLICY !!ShellName
 KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
                PART !!ShellNameN
EDITTEXT
                VALUENAME "Shell"
  END PART
 END POLICY

 POLICY !!CdromA
 KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
  VALUENAME Autorun
  VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
  PART !!CDRA     TEXT END PART
 END POLICY

END CATEGORY

CLASS USER


[strings]
CdromA="Auto start CDROM"
CDRA="If set this key will make the cd autoload prgms ie as on the win95
cd"
Own="Own Additions"
AutoLogon="Auto Login"
AutoL1="Without prompting for user, or domain the user will"
AutoL2="be logged on to the system automatically"
AutoL3="if set."
DefaultDomain="domain  "
DefaultUsr="account "
DefaultPwd="password"
ShellName="Current Shell"
ShellNameN="Write wanted shell (ie Explorer.EXE.)"
ShellT1="With this flag you can change the shell which"
ShellT2="the user will be put in."
Shares="Sharing"
ShareList="Share Drive C:\ to admins"
SDriveName="c"

End of OWN.ADM (this line should not be entered into  OWN.ADM)

Happy hacking...
rgds pf






Subject:
        RE: Network monitoring software -Reply
   Date:
        Thu, 19 Feb 1998 06:09:03 -0800
   From:
        John Rosenhamer <jrosenhamer at okc.cc.ok.us>
     To:
        Multiple recipients of list <web4lib at library.berkeley.edu>

Good Mooorrring Web4lib,

Got a problem!

Am running our library networking from NT.  And am using Policy Editor
to
keep the machines fairly well locked into only using Netscape and not
being able to run other applications.  I use policy editors special
folders
of set up the desktop, etc.

This works fine for most of the computers on the network.  BUT a few,
one especially lets lots of programs run.  And students can download,
add to the software, etc.

I did not set this up, so in some ways I'm running blind as I'm not sure
if
there is a pointer in the local computer to point it to the server to
pick up
its stuff.

My cogent settings in policy editor are: (only listing item turned on)

Default user:
Control Panel
   Display -- Restrict display control Panel
   Network -- Restrict Network Control Panel
   Passwords -- Restrict Passwords Control Panel
   Printers -- Restrict Printers Settings
   System  -- Restrict Systems Control Panel
Desktop
   Wallpaper
   color Scheme
Network (nothing turned on)
Shell
   Custom folders
      Custom program folders
      Custom desktop folders
      Hide start menu subfolders
     Custom folders startup
      Custom Start Menu
   Restrictions
      Remove Run command
      Remove Folders from "Settings" on Start Menu
      Remove Taskbar from "settings" on start menu
      Remove Find command
      Hide Drives in "my computer"
      Hide Network Neighborhood
      No entire network in Net. Neigh.
      No workgroup contents in Net. Neigh.
      Don't save settings on exit
System
   Restrictions
      Disable registry editing tools
      Only run allowed windows applications
          Only run:  Netscape.exe; scandisk.exe, defrag.exe
      Disable MS-Dos prompt.

Default Computer
   Network
     Logon
       Require validation by Network for Windows access
     Update
        Allow remote update.

any information would be appreciated.

John

John H. Rosenhamer                            Technical Service
Librarian
Oklahoma City Community College
7777 S. May Ave.
Oklahoma City, OK  73013                     (405) 682-1611 x7229
jrosenhamer at okc.cc.ok.us                   Fax: (405) 682-7585
jrosenhamer at dante.okc.cc.ok.us




--
Per Funke, Systems Technician
University of Orebro, Library
+46 19 30 34 78, Fax +46 19 33 12 17

More information about the Web4lib mailing list