[K12OSN] Windows Grouppolicy Keys at login

Kevin Verheyen thepiano at telenet.be
Mon Aug 15 00:37:14 UTC 2005 

> I say one of the
> programs that can execute these as admin allowed use of an  
> encrypted password,
> but it seems to me an encrypted password could be brute forced. I  
> really don't
> want my root pass getting out.

True, but how can we provide Group Policies to the users for now?
Do I have to do on each TS 2003 server a GPO config?
Disadvantage is that such method defaults everything to all users, so  
I can't make a different set for teachers-pupils.

So for now I'll stop experimenting, have recreated the whole login  
script in Kixttart (I'll inlcude that as soon as I'm at work) cause  
that's really a lot faster  than a .bat :-)

If someone can still point me to the right solution, i'll be happy to  
test it out

Kevin

Op 15-aug-05, om 02:29 heeft Jason Ingalls het volgende geschreven:

> My startup.bat is the one you are using, I haven't added any group  
> policy
> settings yet. I'm still waiting for a secure way to do it, but it  
> seems this
> should be a priority for the samba team (and it may be). I say one  
> of the
> programs that can execute these as admin allowed use of an  
> encrypted password,
> but it seems to me an encrypted password could be brute forced. I  
> really don't
> want my root pass getting out.
>
> -- 
> Jason Ingalls
> Ellsworth School Department
> IT Specialist
> 207-667-4722 Ext. 5529
> jingalls (at) ellsworthschools.org
>
>
> Quoting Kevin Verheyen <thepiano at telenet.be>:
>
>
>> I'm yet working a whole day to get this scripted.
>> But cannot get my script f.e. to add the
>>
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>>>>>>>> \CurrentVersion   \Policies\Explorer]
>>>>>>>> "NoInstrumentation"=dword:00000001
>>>>>>>>
>> to the registry at login.
>>
>> As Admin yes, as member of Domain Users, yes, bu unfortunately not  
>> as  regular domain user.
>> Could you share you script or how you handle it?
>>
>> Kevin
>>
>> Op 15-aug-05, om 02:13 heeft Jason Ingalls het volgende geschreven:
>>
>>
>>> That was my understanding as well. However, someone made a good   
>>> point a few days
>>> ago on this list about how if a user could modify the GP  
>>> registry  keys, they
>>> could simply edit away any restrictions placed on them by GP's.
>>>
>>> Plus, I've yet to successfully edit those keys as a regular  
>>> user.  My problem
>>> with using this work around method is the admin password needs  
>>> to  be put in the
>>> startup.bat file that can easily be seen by a regular user.
>>>
>>>
>>> -- 
>>> Jason Ingalls
>>> Ellsworth School Department
>>> IT Specialist
>>> 207-667-4722 Ext. 5529
>>> jingalls (at) ellsworthschools.org
>>>
>>>
>>> Quoting Brian Chivers <brian at portsmouth-college.ac.uk>:
>>>
>>>
>>>
>>>> I'll have to try that when I get to work, I was under the   
>>>> understanding that anything under HKEY_CURRENT_USER was  
>>>> alterable  by a regular user ??
>>>>
>>>> Brian
>>>>
>>>> Kevin Verheyen wrote:
>>>>
>>>>
>>>>> You have to be Local Admin to alter those keys that are part  
>>>>> of  the  grouppolicy.
>>>>> You can't ex. change the
>>>>>
>>>>>
>>>>>
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>>>>>>>> \CurrentVersion   \Policies\Explorer]
>>>>>>>> "NoInstrumentation"=dword:00000001
>>>>>>>> "NoSimpleStartMenu"=dword:00000001
>>>>>>>> "NoWelcomeScreen"=dword:00000001
>>>>>>>>
>>>>>>>>
>>>>>
>>>>>
>>>>> Without local admin rights.
>>>>> I've tried this opening regedit as normal user and altering   
>>>>> those  keys, and you'll get a access denied error
>>>>>
>>>>> Kevin
>>>>>
>>>>> Op 14-aug-05, om 12:09 heeft Brian Chivers het volgende  
>>>>> geschreven:
>>>>>
>>>>>
>>>>>
>>>>>> For things that alter HKEY_CURRENT_USER you don't have to be  
>>>>>> a   Local Admin. We run our login script as the users login in  
>>>>>> and   alter my doc's etc without admin rights.
>>>>>>
>>>>>> Brian Chivers
>>>>>> Portsmouth College
>>>>>>
>>>>>>
>>>>>> Kevin Verheyen wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> One more URL with all info about Group Policys
>>>>>>> http://www.computerperformance.co.uk/w2k3/gp/index.htm
>>>>>>> Kevin
>>>>>>> Op 13-aug-05, om 23:57 heeft Kevin Verheyen het volgende   
>>>>>>> geschreven:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Yeehaa !!!
>>>>>>>>
>>>>>>>> I've finally found the solution to add registery keys to  
>>>>>>>> the    register at login,
>>>>>>>> while running regedit as (member of) Local Administrator   
>>>>>>>> (which  is  required for Group Policy Keys)
>>>>>>>> This disables or minimizes the need for an Active Directory   
>>>>>>>> server.
>>>>>>>> All possible keys are easy to find at:
>>>>>>>> http://winportal.net/support/grouppolicy.html
>>>>>>>>
>>>>>>>>
>>>>>>>> First of all there's the startup.bat script I do use  
>>>>>>>> (please   adapt  to your needs):
>>>>>>>>
>>>>>>>> ---------------------------------------
>>>>>>>> @ECHO OFF
>>>>>>>> net use S: /DELETE
>>>>>>>> net use L: /DELETE
>>>>>>>> net use K: /DELETE
>>>>>>>> net use Z: /DELETE
>>>>>>>> net use R: /DELETE
>>>>>>>>
>>>>>>>> net use S: \\SINT-LUTGARDIS\Secretariaat
>>>>>>>> net use L: \\SINT-LUTGARDIS\Leerkrachten
>>>>>>>> net use K: \\SINT-LUTGARDIS\Leerlingen
>>>>>>>> net use Z: \\SINT-LUTGARDIS\Zorg
>>>>>>>> net use R: \\SINT-LUTGARDIS\Rapporten
>>>>>>>>
>>>>>>>> cd p:
>>>>>>>> IF NOT EXIST "P:\Mijn Documenten\." MD "P:\Mijn Documenten"
>>>>>>>> IF NOT EXIST "P:\Desktop\." MD "P:\Desktop"
>>>>>>>> regedit /s \\SINT-LUTGARDIS\netlogon\mydoc.reg
>>>>>>>> REM thnx to Jim Kronebusch for this one
>>>>>>>>
>>>>>>>> start /w "GROUPPOL.reg" "\\SINT-LUTGARDIS\netlogon\CPAU.exe"  
>>>>>>>> - u   SINT-LUTGARDIS\root -p slsictict -ex "\\SINT-LUTGARDIS  
>>>>>>>> \netlogon  \GROUPPOL.bat" -hide
>>>>>>>> :END
>>>>>>>>
>>>>>>>> -------------------
>>>>>>>>
>>>>>>>> The CPAU app you can find as freeware:
>>>>>>>> http://www.joeware.net/win/free/tools/cpau.htm
>>>>>>>>
>>>>>>>> the mydoc.reg
>>>>>>>> REM thnx to Jim Kronebusch for this one
>>>>>>>> ---------------------
>>>>>>>> REGEDIT4
>>>>>>>>
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows NT  
>>>>>>>> \CurrentVersion  \Winlogon]
>>>>>>>> "ExcludeProfileDirs"="Local Settings;Temporary Internet     
>>>>>>>> Files;Geschiedenis;Temp;Mijn Documenten;Bureaublad"
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>>>>>>>> \CurrentVersion   \Explorer\Shell Folders]
>>>>>>>> "Personal"="P:\\Mijn Documenten"
>>>>>>>> "Desktop"="P:\\Desktop"
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>>>>>>>> \CurrentVersion   \Explorer\User Shell Folders]
>>>>>>>> "Personal"="P:\\Mijn Documenten"
>>>>>>>> "Desktop"="P:\\Desktop"
>>>>>>>> -------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> and finally the groupbat.bat is simply calling
>>>>>>>> ----------
>>>>>>>> regedit /s \\SINT-LUTGARDIS\netlogon\GROUPPOL.reg
>>>>>>>> ----------
>>>>>>>>
>>>>>>>> grouppol.reg
>>>>>>>> ---------------
>>>>>>>> REGEDIT4
>>>>>>>>
>>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>>>>>>>> \CurrentVersion   \Policies\Explorer]
>>>>>>>> "NoInstrumentation"=dword:00000001
>>>>>>>> "NoSimpleStartMenu"=dword:00000001
>>>>>>>> "NoWelcomeScreen"=dword:00000001
>>>>>>>>
>>>>>>>>
>>>>>>>> If any of you are having better options, please let me know
>>>>>>>> I'd like to learn every day of my life...
>>>>>>>> Don't know if this is a very secure way of life, if I do  
>>>>>>>> take   big  risks please tell me :-)
>>>>>>>>
>>>>>>>> Kevin
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Op 12-aug-05, om 21:20 heeft Kevin Verheyen het volgende   
>>>>>>>> geschreven:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I found a wonderful source on the internet with all   
>>>>>>>>> possible   userkeys used by windows Group Policy
>>>>>>>>>
>>>>>>>>> http://winportal.net/support/grouppolicy.html
>>>>>>>>>
>>>>>>>>> Certainly a wonderful source of info !!
>>>>>>>>>
>>>>>>>>> Kevin
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> K12OSN mailing list
>>>>>>>>> K12OSN at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>>> For more info see <http://www.k12os.org>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> K12OSN mailing list
>>>>>>>> K12OSN at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>> For more info see <http://www.k12os.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> K12OSN mailing list
>>>>>>> K12OSN at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>> For more info see <http://www.k12os.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>>    The views expressed here are my own and not    
>>>>>> necessarily                the views of Portsmouth College
>>>>>> _______________________________________________
>>>>>> K12OSN mailing list
>>>>>> K12OSN at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>> For more info see <http://www.k12os.org>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> K12OSN mailing list
>>>>> K12OSN at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>> For more info see <http://www.k12os.org>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------
>>>>    The views expressed here are my own and not   
>>>> necessarily                the views of Portsmouth  College  
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>>
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
>>>
>>>
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>

More information about the K12OSN mailing list