Introduction
Whenever a Windows client, be it a Windows NT Server, Workstation, or Windows 9x, logs onto a Windows NT domain, the machine will check to see if the user logging on has a login script specified in their profile. As an administrator, you assign the executable file (usually a DOS-style batch file) that the user will use as a login script in the User Manager For Domains - select a user and click the 'profile' button. If a login script is specified, it will be run immediately after the user has been authenticated.
By default, the login script should exist in the \\PDC\netlogon share, which shares the c:\winnt\system32\repl\import\scripts directory. All of your scripts and their supporting files should exist in this directory. Dos-style batch files are usually chosen as the type of script to run because they are so easy to write and edit. In addition, as the login script runs, you can see any error messages that are produced as the script runs in a DOS-style window.
Please Note: Advanced users may be dismayed at the first few tricks, as they are somewhat elementary - please move on to the later tricks as they are much more advanced.
Trick #1 - Determining the OS the user is logging into
Certain commands and procedures that can run in a login script are not applicable in certain operating systems (more on these procedures later). Therefore, you will want the very first action of your login script to be determining whether the user is logging onto a Windows NT machine, or a Windows 9x machine. This is actually somewhat easy, because Windows NT has a definition for the system variable %os% by default, but Windows 9x does not.
This line in your batch file will query the system variable %OS% on a windows nt system:
if '%OS%' == 'Windows_NT' goto nt4
(put all your commands for win95 in this section)
:nt4
(commands for NT)
:end
Just because Windows 9x does not have an %os% variable by default, does not mean it cannot have one. Add this line:
set os=Windows 95 to set the variable. In addition to setting that variable, you can set a number of other useful variables by adding this line to the Windows 9x portion of your script.
\\MY_PDC\netlogon\putinenv L /L For this to work, you need to place the putinenv utility in the scripts directory. putinenv can be found at www.ms-computer.de/bin/prog/putenv.zip. (Wayne - Do a search and you will find it many places.) We will use these newly added variables (or already existing variables, in the case of WIndows NT) in trick #2.
Trick #2 - Display some information
echo Hello %USERNAME%, welcome to the network!
echo You
are accessing the network from %COMPUTERNAME%
echo And you are running the
%OS% os.
echo Please wait, authenticating %USERNAME% with the %LANGROUP%
domain
By using the echo command we can output some nice messages to the
user, as some are startled, having never seen a login script before.
These nice messages, however, will not be useful if they scroll off of the screen too quickly, so after your message, add this line:
\\PDC\netlogon\sleep 2 sleep is another free utility that you can find on the web - search for sleep.exe - it takes one argument - an integer for seconds. Again, it has to be in the scripts directory for your login script to see it in the netlogon share...
TRICK #3 - Mapping drives
Most Windows NT shops have some directories on the server that are shared out. Windows 9x and NT allow you to assign a drive letter in windows explorer to these shared resources so you can see them over the network just as if you were using that drive on your own computer. Usually you use windows explorer and the tools menu to map a drive and map it permanently, but users always accidently disconnect them, and in addition, you may want to force users to use a specific drive letter for a specific share (for instance, you may want to force them to use the U: drive for a 'users' share ona server, etc.
In your login script, map drives using these commands:
net use U: \\MY_SERVER\users echo U: drive mapped to the users share
net use P:
\\MY_other_server\public
echo P: drive mapped to the public
share on My_other_server
net use U: /del
net use P: /del
net use U:
\\MY_SERVER\users
net use P: \\MY_other_server\public
So as you can see we get around the problem by deleting the share
first and then mapping it - we are still left with the problem that the very
first time the user logs in they won't have the shares to delete, but I am not
that picky....
Another note, if you want your net use statements not to show up, precede them with a '@', example:
@net use M: \\server\mp3 Trick #4 - Synchronize the time
If you want the system time of all the workstations to match the primary domain controller (yes, you do...) add this line:
net time \\MY_PDC /set /yes
Now all the
machines in the office will match the time of the PDC, and you only need to
install an atomic clock synchronizer on the PDC.
(check out www.atomtime.com for a good atomic clock syncer)
Trick #5 - Fix Windows 9x security flaws
Windows 9x does some bad things in terms of security - anyone attending def con 6 learned about password caching and how the domain passwords are stored in a weak format on the win9x hard drive.
Let's do something about it:
First, the easy part:
del c:\windows\*.pwl the above line added to the win9x portion of your script will delete the password lists for all the profiles on he win9x computer. This may not win you a lot of friends because the saved passwords on dial-up networking will no longer be functional, etc. but they were security risks anyway. Now, the tricky part - we want to disable the internal caching of passwords in windows 95 - this requires changing the registry:
REGEDIT /s \\MY_PDC\netlogon\nocache.reg The above line will run regedit on the command line with no program output with a registry input file named nocache.reg - here is the reg file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001
Just save it as plain text and name it nocache.reg
You have now disabled some of the more gaping holes in win9x - smile!
Trick #6 - Customization
Ok, as a sysadmin, as much as I hate it, I have to go to users machines sometimes to fix stuff, and it really irks me when the simple amenities that I take for granted on my own machine are not available. Let's fix that:
1. put notepad in the 'send to' menu.
If you are in windows explorer and right click on a file and choose 'send to' you are given the option of sending the file to a specific application. It is very useful to add notepad to the send to menu because if you double-click an html file, you will not edit it, you will bring up the browser and view it. Kind of annoying if you just wanted to edit it...here is how you do it:
copy
\\MY_PDC\netlogon\notepad.exe.lnk
c:\windows\sendto
that line
is all you need, plus adding a file called notepad.exe.lnk to the scripts
directory - you can make the .lnk file on your own windows 95 machine and copy
it up there just fine. Now all machines you play with will have notepad
available in send to.
2. doskey
If you admin win 9x machines, you need doskey to be available. If you don't know what doskey is, then you should probably learn some basic stuff before graduating to the level of login script hacker.
type c:\autoexec.bat | find "doskey" /i | if not errorlevel
1 goto doskeyend
echo >> c:\autoexec.bat
c:\windows\command\doskey.com
:doskeyend
What this does is adds the line c:\windows\command\doskey.com to the autoexec file - but we
need to do a loop to make sure it is not already there because otherwise you
will add that line to autoexec every time they log on, eventually they will run
so many doskeys at boot that their machine will crash. This is also a great
example of using a lopp in the login script.
3. add a hosts file
If you have your own dns server, you can add and subtract host/name mappings all day, but maybe you don't have your own dns, or maybe you want some internal host/name mappings - windows has its own host file simply named 'hosts' in the c:\windows dir, so make a hosts file and add it to the scripts dir, then add this line to the script:
copy \\MY_PDC\netlogon\hosts c:\windows for the win nt section of your login script, change it to this:
copy \\fletch\netlogon\hosts %systemroot%\system32\drivers\etc\hosts I personally set up a internal web server to display the usage statistics of our main web site, and had a hosts entry for 'stats' - you can add all sorts of personalized dns style entries this way...
4. give everyone winpopup
copy \\fletch\netlogon\winpopup.lnk c:\windows\startm~1\programs\startup 5. detect back orifice
Honestly this is not that great of a detection for back orifice, but it is a neat little hack - if someone does an off the shelf installation of BO on you, the file size will be in a certain range, and you can detect that file size and mail an alert to the sysadmin...
::Back Orifice Detection Measures....
dir c:\windows\system | find "124,8" /i | if not errorlevel 1 goto
BO1 :step2
dir c:\windows\system | find "124,9" /i | if not errorlevel 1 goto
BO2 :orificeend
goto step2
:BO1
dir c:\windows\system > c:\tempbode.txt
echo
computer:%COMPUTERNAME% >> c:\tempbode.txt
echo user:%USERNAME%
>> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u
sysadmin@mydomain.com -d sysadmin@mydomain.com -h mail.mydomain.com -s "BO
ALERT" -mf c:\tempbode.txt
del c:\tempbode.txt
goto orificeend
:BO2
dir c:\windows\system >
c:\tempbode.txt
echo computer:%COMPUTERNAME% >> c:\tempbode.txt
echo
user:%USERNAME% >> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u
sysadmin@mydomain.com -d sysadmin@mydomain.com -h mail.mydomain.com -s "BO
ALERT" -mf c:\tempbode.txt
del c:\tempbode.txt
You will note that we call mailto.exe which can be found on winfiles.com and is a great little command line utility for mailing off things quickly, and is great for login scripts because you can email from them.
Just make sure mailto.exe is in the scripts dir...
Trick #7 - Windows NT Specific Tricks
Ok here are some good registry hacks to put in the login script for use in the nt section of the script only....
1. mandatory screen saver
regedit /s \\MY_PDC\netlogon\scrn.reg and scrn.reg looks likt this:
REGEDIT4
[HKEY_CURRENT_USER\Control
Panel\Desktop]
"ScreenSaveTimeOut"="1800"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="c:\winnt\system32\logon.scr"
"ScreenSaverIsSecure"="1"
Ok,
this adds a password protected screen saver that starts in 30 minutes (1800
seconds) of inactivity and is just the simple logon.scr screen saver (no openGL
SS's please, as they will kill your server) This is really a great security
measure for NT machines as people can get up and go home without logging out and
you will still be secure (to a degree, of course) (this is one of my favorite
hacks)
2. legal notice
regedit /s \\MY_PDC\netlogon\legal.reg and legal.reg looks like this:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"DontDisplayLastUserName"="1"
"LegalNoticeCaption"="Important
Notice!"
"LegalNoticeText"="This is a private computer system"
This is a private computer system on a private computer network. ALL access is logged and monitored - you should not log on if you object to this policy. Unauthorized users are not allowed, and any attempt to enter the network or this system without permission will result in civil and criminal liabilities.
Just covering yourself in case of an employee lawsuit or a break-in.
Helpful Hints
If you do a lot of messages and add nifty stuff like ascii art and go nuts like that (my netowrk has a cool ascii art screen that comes up and pauses with the sleep command for a second or two) you may want to clear the screen between messages or groups of messages - just add this command in your script wherever necessary:
cls
Also, the screen saver that I set in the windows nt portion of the script cannot be done in windows 95 - I tried it for weeks but it won't happen. You see, the win95 screen saver applet works a bit differently, and there is no registry entry for which screen saver to use (even though there is a registry entry for all other aspects of the screen saver) - it's weird but true...however, someone recently mentioned that you might be able to add a screen saver by adding some lines to win.ini - you will need to loop to make sure that the lines do not already exist, like we did above with doskey, but it might be possible.
Finally, I cannot stress enough how important it is to have a separate section for nt and 95 - as we saw drive mapping is different betwen the two, and there are some registry entries you can change in nt and not on 95.
Note: if you have a backup domain controller, the scripts will not run consistently until you replicate them between the PDC/BDC - there is a great tutorial on how to do this at www.ntfaq.com - it is really counter-intuitive and confusing.
Please email me any questions/comments/or hacks of your own - I would love to see some more advanced Back Orifice detection and also any way to get a mandatory password protected screen saver in win95...