Windows NT Login Script Tricks and Tips

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Introduction

Whenever a Windows client, be it a Windows NT Server, Workstation, or Windows 9x, logs onto a Windows NT domain, the machine will check to see if the user logging on has a login script specified in their profile. As an administrator, you assign the executable file (usually a DOS-style batch file) that the user will use as a login script in the User Manager For Domains - select a user and click the 'profile' button. If a login script is specified, it will be run immediately after the user has been authenticated.

By default, the login script should exist in the \\PDC\netlogon share, which shares the c:\winnt\system32\repl\import\scripts directory. All of your scripts and their supporting files should exist in this directory. Dos-style batch files are usually chosen as the type of script to run because they are so easy to write and edit. In addition, as the login script runs, you can see any error messages that are produced as the script runs in a DOS-style window.

Please Note: Advanced users may be dismayed at the first few tricks, as they are somewhat elementary - please move on to the later tricks as they are much more advanced.

Trick #1 - Determining the OS the user is logging into

Certain commands and procedures that can run in a login script are not applicable in certain operating systems (more on these procedures later). Therefore, you will want the very first action of your login script to be determining whether the user is logging onto a Windows NT machine, or a Windows 9x machine. This is actually somewhat easy, because Windows NT has a definition for the system variable %os% by default, but Windows 9x does not.

This line in your batch file will query the system variable %OS% on a windows nt system:

if '%OS%' == 'Windows_NT' goto nt4

(put all your commands for win95 in this section)

:nt4

(commands for NT)

:end

In this manner, the user logging in only executes commands that are appropriate for their operating system.

Just because Windows 9x does not have an %os% variable by default, does not mean it cannot have one. Add this line:

set os=Windows 95

to set the variable. In addition to setting that variable, you can set a number of other useful variables by adding this line to the Windows 9x portion of your script.

\\MY_PDC\netlogon\putinenv L /L

For this to work, you need to place the putinenv utility in the scripts directory. putinenv can be found at www.ms-computer.de/bin/prog/putenv.zip. (Wayne - Do a search and you will find it many places.) We will use these newly added variables (or already existing variables, in the case of WIndows NT) in trick #2.

Trick #2 - Display some information

echo Hello %USERNAME%, welcome to the network!
echo You are accessing the network from %COMPUTERNAME%
echo And you are running the %OS% os.
echo Please wait, authenticating %USERNAME% with the %LANGROUP% domain

By using the echo command we can output some nice messages to the user, as some are startled, having never seen a login script before.

These nice messages, however, will not be useful if they scroll off of the screen too quickly, so after your message, add this line:

\\PDC\netlogon\sleep 2

sleep is another free utility that you can find on the web - search for sleep.exe - it takes one argument - an integer for seconds. Again, it has to be in the scripts directory for your login script to see it in the netlogon share...

TRICK #3 - Mapping drives

Most Windows NT shops have some directories on the server that are shared out. Windows 9x and NT allow you to assign a drive letter in windows explorer to these shared resources so you can see them over the network just as if you were using that drive on your own computer. Usually you use windows explorer and the tools menu to map a drive and map it permanently, but users always accidently disconnect them, and in addition, you may want to force users to use a specific drive letter for a specific share (for instance, you may want to force them to use the U: drive for a 'users' share ona server, etc.

In your login script, map drives using these commands:

net use U: \\MY_SERVER\users
net use P: \\MY_other_server\public

echo U: drive mapped to the users share
echo P: drive mapped to the public share on My_other_server

You get the point. Here is some info though, when you run the net use command in win 9x, the default behavior is to create a non-persistant share, meaning that if you reboot the machine, the shares will disappear and will not come back until you run the login script again. No problem there. The problem is that in win NT, the default behavior is to create persistant shares, so you run the login script and make the shares, and then you run it next time you log in and you get errors telling you that it is already mapped. The solution is to leave the win95 portion of the script as I show above, but in the win nt portion of the script do this:

net use U: /del
net use P: /del
net use U: \\MY_SERVER\users
net use P: \\MY_other_server\public

So as you can see we get around the problem by deleting the share first and then mapping it - we are still left with the problem that the very first time the user logs in they won't have the shares to delete, but I am not that picky....

Another note, if you want your net use statements not to show up, precede them with a '@', example:

@net use M: \\server\mp3

Trick #4 - Synchronize the time

If you want the system time of all the workstations to match the primary domain controller (yes, you do...) add this line:

net time \\MY_PDC /set /yes

Now all the machines in the office will match the time of the PDC, and you only need to install an atomic clock synchronizer on the PDC.

(check out www.atomtime.com for a good atomic clock syncer)

Trick #5 - Fix Windows 9x security flaws

Windows 9x does some bad things in terms of security - anyone attending def con 6 learned about password caching and how the domain passwords are stored in a weak format on the win9x hard drive.

Let's do something about it:

First, the easy part:

del c:\windows\*.pwl

the above line added to the win9x portion of your script will delete the password lists for all the profiles on he win9x computer. This may not win you a lot of friends because the saved passwords on dial-up networking will no longer be functional, etc. but they were security risks anyway. Now, the tricky part - we want to disable the internal caching of passwords in windows 95 - this requires changing the registry:

REGEDIT /s \\MY_PDC\netlogon\nocache.reg

The above line will run regedit on the command line with no program output with a registry input file named nocache.reg - here is the reg file:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001

Just save it as plain text and name it nocache.reg

You have now disabled some of the more gaping holes in win9x - smile!

Trick #6 - Customization

Ok, as a sysadmin, as much as I hate it, I have to go to users machines sometimes to fix stuff, and it really irks me when the simple amenities that I take for granted on my own machine are not available. Let's fix that:

1. put notepad in the 'send to' menu.

If you are in windows explorer and right click on a file and choose 'send to' you are given the option of sending the file to a specific application. It is very useful to add notepad to the send to menu because if you double-click an html file, you will not edit it, you will bring up the browser and view it. Kind of annoying if you just wanted to edit it...here is how you do it:

copy \\MY_PDC\netlogon\notepad.exe.lnk
c:\windows\sendto

that line is all you need, plus adding a file called notepad.exe.lnk to the scripts directory - you can make the .lnk file on your own windows 95 machine and copy it up there just fine. Now all machines you play with will have notepad available in send to.

2. doskey

If you admin win 9x machines, you need doskey to be available. If you don't know what doskey is, then you should probably learn some basic stuff before graduating to the level of login script hacker.

type c:\autoexec.bat | find "doskey" /i | if not errorlevel 1 goto doskeyend
echo >> c:\autoexec.bat c:\windows\command\doskey.com
:doskeyend

What this does is adds the line c:\windows\command\doskey.com to the autoexec file - but we need to do a loop to make sure it is not already there because otherwise you will add that line to autoexec every time they log on, eventually they will run so many doskeys at boot that their machine will crash. This is also a great example of using a lopp in the login script.

3. add a hosts file

If you have your own dns server, you can add and subtract host/name mappings all day, but maybe you don't have your own dns, or maybe you want some internal host/name mappings - windows has its own host file simply named 'hosts' in the c:\windows dir, so make a hosts file and add it to the scripts dir, then add this line to the script:

copy \\MY_PDC\netlogon\hosts c:\windows

for the win nt section of your login script, change it to this:

copy \\fletch\netlogon\hosts %systemroot%\system32\drivers\etc\hosts

I personally set up a internal web server to display the usage statistics of our main web site, and had a hosts entry for 'stats' - you can add all sorts of personalized dns style entries this way...

4. give everyone winpopup

copy \\fletch\netlogon\winpopup.lnk c:\windows\startm~1\programs\startup

5. detect back orifice

Honestly this is not that great of a detection for back orifice, but it is a neat little hack - if someone does an off the shelf installation of BO on you, the file size will be in a certain range, and you can detect that file size and mail an alert to the sysadmin...

::Back Orifice Detection Measures....

dir c:\windows\system | find "124,8" /i | if not errorlevel 1 goto BO1
goto step2
:BO1
dir c:\windows\system > c:\tempbode.txt
echo computer:%COMPUTERNAME% >> c:\tempbode.txt
echo user:%USERNAME% >> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u sysadmin@mydomain.com -d sysadmin@mydomain.com -h mail.mydomain.com -s "BO ALERT" -mf c:\tempbode.txt
del c:\tempbode.txt

:step2

dir c:\windows\system | find "124,9" /i | if not errorlevel 1 goto BO2
goto orificeend
:BO2
dir c:\windows\system > c:\tempbode.txt
echo computer:%COMPUTERNAME% >> c:\tempbode.txt
echo user:%USERNAME% >> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u sysadmin@mydomain.com -d sysadmin@mydomain.com -h mail.mydomain.com -s "BO ALERT" -mf c:\tempbode.txt
del c:\tempbode.txt

:orificeend

So basically what happens is we look in windows\system for any files of the size: 124,9xx or 124,8xx, and if we find them we email the sysadmin alerting them of it. This is actually really silly bcase any number of programs could put a file there of that size, and you can wrap BO to be any size you want - but it is a neat little hack and shows some advanced grepping and looping that you can do in a batch file.

You will note that we call mailto.exe which can be found on winfiles.com and is a great little command line utility for mailing off things quickly, and is great for login scripts because you can email from them.

Just make sure mailto.exe is in the scripts dir...

Trick #7 - Windows NT Specific Tricks

Ok here are some good registry hacks to put in the login script for use in the nt section of the script only....

1. mandatory screen saver

regedit /s \\MY_PDC\netlogon\scrn.reg

and scrn.reg looks likt this:

REGEDIT4
[HKEY_CURRENT_USER\Control Panel\Desktop]
"ScreenSaveTimeOut"="1800"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="c:\winnt\system32\logon.scr"
"ScreenSaverIsSecure"="1"

Ok, this adds a password protected screen saver that starts in 30 minutes (1800 seconds) of inactivity and is just the simple logon.scr screen saver (no openGL SS's please, as they will kill your server) This is really a great security measure for NT machines as people can get up and go home without logging out and you will still be secure (to a degree, of course) (this is one of my favorite hacks)

2. legal notice

regedit /s \\MY_PDC\netlogon\legal.reg

and legal.reg looks like this:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DontDisplayLastUserName"="1"
"LegalNoticeCaption"="Important Notice!"
"LegalNoticeText"="This is a private computer system"

So now when you hit ctrl-alt-del to login, you will get a nice little message that you have to say ok to first. This is good because you can inform people of things like 'all usage is monitored' blah blah - mine looks like this:

This is a private computer system on a private computer network. ALL access is logged and monitored - you should not log on if you object to this policy. Unauthorized users are not allowed, and any attempt to enter the network or this system without permission will result in civil and criminal liabilities.

Just covering yourself in case of an employee lawsuit or a break-in.

Helpful Hints

If you do a lot of messages and add nifty stuff like ascii art and go nuts like that (my netowrk has a cool ascii art screen that comes up and pauses with the sleep command for a second or two) you may want to clear the screen between messages or groups of messages - just add this command in your script wherever necessary:

cls

Also, the screen saver that I set in the windows nt portion of the script cannot be done in windows 95 - I tried it for weeks but it won't happen. You see, the win95 screen saver applet works a bit differently, and there is no registry entry for which screen saver to use (even though there is a registry entry for all other aspects of the screen saver) - it's weird but true...however, someone recently mentioned that you might be able to add a screen saver by adding some lines to win.ini - you will need to loop to make sure that the lines do not already exist, like we did above with doskey, but it might be possible.

Finally, I cannot stress enough how important it is to have a separate section for nt and 95 - as we saw drive mapping is different betwen the two, and there are some registry entries you can change in nt and not on 95.

Note: if you have a backup domain controller, the scripts will not run consistently until you replicate them between the PDC/BDC - there is a great tutorial on how to do this at www.ntfaq.com - it is really counter-intuitive and confusing.

Please email me any questions/comments/or hacks of your own - I would love to see some more advanced Back Orifice detection and also any way to get a mandatory password protected screen saver in win95...

Featured Links