Introduction
Whenever a Windows client, be it a Windows NT Server, Workstation, or Windows
9x, logs onto a Windows NT domain, the machine will check to see if the user
logging on has a login script specified in their profile. As an administrator,
you assign the executable file (usually a DOS-style batch file) that the user
will use as a login script in the User Manager For Domains – select a user and
click the ‘profile’ button. If a login script is specified, it will be run
immediately after the user has been authenticated.
By default, the login script should exist in the \\PDC\netlogon share, which
shares the c:\winnt\system32\repl\import\scripts directory. All of your scripts
and their supporting files should exist in this directory. Dos-style batch files
are usually chosen as the type of script to run because they are so easy to
write and edit. In addition, as the login script runs, you can see any error
messages that are produced as the script runs in a DOS-style window.
Please Note: Advanced users may be dismayed at the first few tricks, as they
are somewhat elementary – please move on to the later tricks as they are much
more advanced.
Trick #1 – Determining the OS the user is logging
into
Certain commands and procedures that can run in a login script are not
applicable in certain operating systems (more on these procedures later).
Therefore, you will want the very first action of your login script to be
determining whether the user is logging onto a Windows NT machine, or a Windows
9x machine. This is actually somewhat easy, because Windows NT has a definition
for the system variable %os% by default, but Windows 9x does not.
This line in your batch file will query the system variable %OS% on a windows
nt system:
if ‘%OS%’ == ‘Windows_NT’ goto nt4 (put all your commands for win95 in this section) :nt4 (commands for NT) :end
appropriate for their operating system.
Just because Windows 9x does not have an %os% variable by default, does not
mean it cannot have one. Add this line:
set os=Windows 95
to set the variable. In addition to setting that variable, you can set
a number of other useful variables by adding this line to the Windows 9x portion
of your script.
\\MY_PDC\netlogon\putinenv L /L
For this to work, you need to place the putinenv utility in the
scripts directory. putinenv can be found at
www.ms-computer.de/bin/prog/putenv.zip. (Wayne – Do a search and you will
find it many places.) We will use these newly added variables (or already
existing variables, in the case of WIndows NT) in trick #2.
Trick #2 – Display some information
echo Hello %USERNAME%, welcome to the network!
echo You
are accessing the network from %COMPUTERNAME%
echo And you are running the
%OS% os.
echo Please wait, authenticating %USERNAME% with the %LANGROUP%
domain
By using the echo command we can output some nice messages to the
user, as some are startled, having never seen a login script before.
These nice messages, however, will not be useful if they scroll off of the
screen too quickly, so after your message, add this line:
\\PDC\netlogon\sleep 2
sleep is another free utility that you can find on the web – search
for sleep.exe – it takes one argument – an integer for seconds. Again, it has to
be in the scripts directory for your login script to see it in the netlogon
share…
TRICK #3 – Mapping drives
Most Windows NT shops have some directories on the server that are shared
out. Windows 9x and NT allow you to assign a drive letter in windows explorer to
these shared resources so you can see them over the network just as if you were
using that drive on your own computer. Usually you use windows explorer and the
tools menu to map a drive and map it permanently, but users always accidently
disconnect them, and in addition, you may want to force users to use a specific
drive letter for a specific share (for instance, you may want to force them to
use the U: drive for a ‘users’ share ona server, etc.
In your login script, map drives using these commands:
net use U: \\MY_SERVER\users echo U: drive mapped to the users share
net use P:
\\MY_other_server\public
echo P: drive mapped to the public
share on My_other_server
command in win 9x, the default behavior is to create a non-persistant share,
meaning that if you reboot the machine, the shares will disappear and will not
come back until you run the login script again. No problem there. The problem is
that in win NT, the default behavior is to create persistant shares, so you run
the login script and make the shares, and then you run it next time you log in
and you get errors telling you that it is already mapped. The solution is to
leave the win95 portion of the script as I show above, but in the win nt portion
of the script do this:
net use U: /del
net use P: /del
net use U:
\\MY_SERVER\users
net use P: \\MY_other_server\public
So as you can see we get around the problem by deleting the share
first and then mapping it – we are still left with the problem that the very
first time the user logs in they won’t have the shares to delete, but I am not
that picky….
Another note, if you want your net use statements not to show up, precede
them with a ‘@’, example:
@net use M: \\server\mp3
Trick #4 – Synchronize the time
If you want the system time of all the workstations to match the primary
domain controller (yes, you do…) add this line:
net time \\MY_PDC /set /yes
Now all the
machines in the office will match the time of the PDC, and you only need to
install an atomic clock synchronizer on the PDC.
(check out www.atomtime.com for a good atomic clock syncer)
Trick #5 – Fix Windows 9x security flaws
Windows 9x does some bad things in terms of security – anyone attending def
con 6 learned about password caching and how the domain passwords are stored in
a weak format on the win9x hard drive.
Let’s do something about it:
First, the easy part:
del c:\windows\*.pwl
the above line added to the win9x portion of your script will delete
the password lists for all the profiles on he win9x computer. This may not win
you a lot of friends because the saved passwords on dial-up networking will no
longer be functional, etc. but they were security risks anyway. Now, the tricky
part – we want to disable the internal caching of passwords in windows 95 – this
requires changing the registry:
REGEDIT /s \\MY_PDC\netlogon\nocache.reg
The above line will run regedit on the command line with no program
output with a registry input file named nocache.reg – here is the reg file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
“DisablePwdCaching”=dword:00000001
Just save it as plain text and name it nocache.reg
You have now disabled some of the more gaping holes in win9x – smile!
Trick #6 – Customization
Ok, as a sysadmin, as much as I hate it, I have to go to users machines
sometimes to fix stuff, and it really irks me when the simple amenities that I
take for granted on my own machine are not available. Let’s fix that:
1. put notepad in the ‘send to’ menu.
If you are in windows explorer and right click on a file and choose ‘send to’
you are given the option of sending the file to a specific application. It is
very useful to add notepad to the send to menu because if you double-click an
html file, you will not edit it, you will bring up the browser and view it. Kind
of annoying if you just wanted to edit it…here is how you do it:
copy
\\MY_PDC\netlogon\notepad.exe.lnk
c:\windows\sendto
that line
is all you need, plus adding a file called notepad.exe.lnk to the scripts
directory – you can make the .lnk file on your own windows 95 machine and copy
it up there just fine. Now all machines you play with will have notepad
available in send to.
2. doskey
If you admin win 9x machines, you need doskey to be available. If you don’t
know what doskey is, then you should probably learn some basic stuff before
graduating to the level of login script hacker.
type c:\autoexec.bat | find “doskey” /i | if not errorlevel
1 goto doskeyend
echo >> c:\autoexec.bat
c:\windows\command\doskey.com
:doskeyend
What this does is adds the line c:\windows\command\doskey.com to the autoexec file – but we
need to do a loop to make sure it is not already there because otherwise you
will add that line to autoexec every time they log on, eventually they will run
so many doskeys at boot that their machine will crash. This is also a great
example of using a lopp in the login script.
3. add a hosts file
If you have your own dns server, you can add and subtract host/name mappings
all day, but maybe you don’t have your own dns, or maybe you want some internal
host/name mappings – windows has its own host file simply named ‘hosts’ in the
c:\windows dir, so make a hosts file and add it to the scripts dir, then add
this line to the script:
copy \\MY_PDC\netlogon\hosts c:\windows
for the win nt section of your login script, change it to this:
copy \\fletch\netlogon\hosts
%systemroot%\system32\drivers\etc\hosts
I personally set up a internal web server to display the usage
statistics of our main web site, and had a hosts entry for ‘stats’ – you can add
all sorts of personalized dns style entries this way…
4. give everyone winpopup
copy \\fletch\netlogon\winpopup.lnk
c:\windows\startm~1\programs\startup
5. detect back orifice
Honestly this is not that great of a detection for back orifice, but it is a
neat little hack – if someone does an off the shelf installation of BO on you,
the file size will be in a certain range, and you can detect that file size and
mail an alert to the sysadmin…
::Back Orifice Detection Measures…. dir c:\windows\system | find “124,8” /i | if not errorlevel 1 goto :step2 dir c:\windows\system | find “124,9” /i | if not errorlevel 1 goto :orificeend
BO1
goto step2
:BO1
dir c:\windows\system > c:\tempbode.txt
echo
computer:%COMPUTERNAME% >> c:\tempbode.txt
echo user:%USERNAME%
>> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u
[email protected] -d [email protected] -h mail.mydomain.com -s “BO
ALERT” -mf c:\tempbode.txt
del c:\tempbode.txt
BO2
goto orificeend
:BO2
dir c:\windows\system >
c:\tempbode.txt
echo computer:%COMPUTERNAME% >> c:\tempbode.txt
echo
user:%USERNAME% >> c:\tempbode.txt
\\MY_PDC\netlogon\mailto.exe -u
[email protected] -d [email protected] -h mail.mydomain.com -s “BO
ALERT” -mf c:\tempbode.txt
del c:\tempbode.txt
of the size: 124,9xx or 124,8xx, and if we find them we email the sysadmin
alerting them of it. This is actually really silly bcase any number of programs
could put a file there of that size, and you can wrap BO to be any size you want
– but it is a neat little hack and shows some advanced grepping and looping that
you can do in a batch file.
You will note that we call mailto.exe which can be found on winfiles.com and
is a great little command line utility for mailing off things quickly, and is
great for login scripts because you can email from them.
Just make sure mailto.exe is in the scripts dir…
Trick #7 – Windows NT Specific Tricks
Ok here are some good registry hacks to put in the login script for use in
the nt section of the script only….
1. mandatory screen saver
regedit /s \\MY_PDC\netlogon\scrn.reg
and scrn.reg looks likt this:
REGEDIT4
[HKEY_CURRENT_USER\Control
Panel\Desktop]
“ScreenSaveTimeOut”=”1800”
“ScreenSaveActive”=”1”
“SCRNSAVE.EXE”=”c:\winnt\system32\logon.scr”
“ScreenSaverIsSecure”=”1”
Ok,
this adds a password protected screen saver that starts in 30 minutes (1800
seconds) of inactivity and is just the simple logon.scr screen saver (no openGL
SS’s please, as they will kill your server) This is really a great security
measure for NT machines as people can get up and go home without logging out and
you will still be secure (to a degree, of course) (this is one of my favorite
hacks)
2. legal notice
regedit /s \\MY_PDC\netlogon\legal.reg
and legal.reg looks like this:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
“DontDisplayLastUserName”=”1”
“LegalNoticeCaption”=”Important
Notice!”
“LegalNoticeText”=”This is a private computer system”
message that you have to say ok to first. This is good because you can inform
people of things like ‘all usage is monitored’ blah blah – mine looks like this:
This is a private computer system on a private computer network. ALL access
is logged and monitored – you should not log on if you object to this policy.
Unauthorized users are not allowed, and any attempt to enter the network or this
system without permission will result in civil and criminal liabilities.
Just covering yourself in case of an employee lawsuit or a break-in.
Helpful Hints
If you do a lot of messages and add nifty stuff like ascii art and go nuts
like that (my netowrk has a cool ascii art screen that comes up and pauses with
the sleep command for a second or two) you may want to clear the screen between
messages or groups of messages – just add this command in your script wherever
necessary:
cls
Also, the screen saver that I set in the windows nt portion of the script
cannot be done in windows 95 – I tried it for weeks but it won’t happen. You
see, the win95 screen saver applet works a bit differently, and there is no
registry entry for which screen saver to use (even though there is a registry
entry for all other aspects of the screen saver) – it’s weird but
true…however, someone recently mentioned that you might be able to add a
screen saver by adding some lines to win.ini – you will need to loop to make
sure that the lines do not already exist, like we did above with doskey, but it
might be possible.
Finally, I cannot stress enough how important it is to have a separate
section for nt and 95 – as we saw drive mapping is different betwen the two, and
there are some registry entries you can change in nt and not on 95.
Note: if you have a backup domain controller, the scripts will not run
consistently until you replicate them between the PDC/BDC – there is a great
tutorial on how to do this at www.ntfaq.com – it is really counter-intuitive and
confusing.
Please email me any questions/comments/or hacks of your own – I would love to
see some more advanced Back Orifice detection and also any way to get a
mandatory password protected screen saver in win95…
