[K12OSN] Windows Grouppolicy Keys at login

Jason Ingalls jingalls at ellsworthschools.org
Mon Aug 15 00:29:53 UTC 2005 

My startup.bat is the one you are using, I haven't added any group policy
settings yet. I'm still waiting for a secure way to do it, but it seems this
should be a priority for the samba team (and it may be). I say one of the
programs that can execute these as admin allowed use of an encrypted password,
but it seems to me an encrypted password could be brute forced. I really don't
want my root pass getting out.

-- 
Jason Ingalls
Ellsworth School Department
IT Specialist
207-667-4722 Ext. 5529
jingalls (at) ellsworthschools.org


Quoting Kevin Verheyen <thepiano at telenet.be>:

> I'm yet working a whole day to get this scripted.
> But cannot get my script f.e. to add the
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion   
>>>>>>> \Policies\Explorer]
>>>>>>> "NoInstrumentation"=dword:00000001
> to the registry at login.
>
> As Admin yes, as member of Domain Users, yes, bu unfortunately not as 
>  regular domain user.
> Could you share you script or how you handle it?
>
> Kevin
>
> Op 15-aug-05, om 02:13 heeft Jason Ingalls het volgende geschreven:
>
>> That was my understanding as well. However, someone made a good  
>> point a few days
>> ago on this list about how if a user could modify the GP registry  
>> keys, they
>> could simply edit away any restrictions placed on them by GP's.
>>
>> Plus, I've yet to successfully edit those keys as a regular user.  
>> My problem
>> with using this work around method is the admin password needs to  
>> be put in the
>> startup.bat file that can easily be seen by a regular user.
>>
>>
>> -- 
>> Jason Ingalls
>> Ellsworth School Department
>> IT Specialist
>> 207-667-4722 Ext. 5529
>> jingalls (at) ellsworthschools.org
>>
>>
>> Quoting Brian Chivers <brian at portsmouth-college.ac.uk>:
>>
>>
>>> I'll have to try that when I get to work, I was under the  
>>> understanding that anything under HKEY_CURRENT_USER was alterable  
>>> by a regular user ??
>>>
>>> Brian
>>>
>>> Kevin Verheyen wrote:
>>>
>>>> You have to be Local Admin to alter those keys that are part of  
>>>> the  grouppolicy.
>>>> You can't ex. change the
>>>>
>>>>
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion   
>>>>>>> \Policies\Explorer]
>>>>>>> "NoInstrumentation"=dword:00000001
>>>>>>> "NoSimpleStartMenu"=dword:00000001
>>>>>>> "NoWelcomeScreen"=dword:00000001
>>>>>>>
>>>>
>>>>
>>>> Without local admin rights.
>>>> I've tried this opening regedit as normal user and altering  those 
>>>>  keys, and you'll get a access denied error
>>>>
>>>> Kevin
>>>>
>>>> Op 14-aug-05, om 12:09 heeft Brian Chivers het volgende geschreven:
>>>>
>>>>
>>>>> For things that alter HKEY_CURRENT_USER you don't have to be a   
>>>>> Local Admin. We run our login script as the users login in and   
>>>>> alter my doc's etc without admin rights.
>>>>>
>>>>> Brian Chivers
>>>>> Portsmouth College
>>>>>
>>>>>
>>>>> Kevin Verheyen wrote:
>>>>>
>>>>>
>>>>>> One more URL with all info about Group Policys
>>>>>> http://www.computerperformance.co.uk/w2k3/gp/index.htm
>>>>>> Kevin
>>>>>> Op 13-aug-05, om 23:57 heeft Kevin Verheyen het volgende  geschreven:
>>>>>>
>>>>>>
>>>>>>> Yeehaa !!!
>>>>>>>
>>>>>>> I've finally found the solution to add registery keys to the    
>>>>>>> register at login,
>>>>>>> while running regedit as (member of) Local Administrator  
>>>>>>> (which  is  required for Group Policy Keys)
>>>>>>> This disables or minimizes the need for an Active Directory  server.
>>>>>>> All possible keys are easy to find at:
>>>>>>> http://winportal.net/support/grouppolicy.html
>>>>>>>
>>>>>>>
>>>>>>> First of all there's the startup.bat script I do use (please   
>>>>>>> adapt  to your needs):
>>>>>>>
>>>>>>> ---------------------------------------
>>>>>>> @ECHO OFF
>>>>>>> net use S: /DELETE
>>>>>>> net use L: /DELETE
>>>>>>> net use K: /DELETE
>>>>>>> net use Z: /DELETE
>>>>>>> net use R: /DELETE
>>>>>>>
>>>>>>> net use S: \\SINT-LUTGARDIS\Secretariaat
>>>>>>> net use L: \\SINT-LUTGARDIS\Leerkrachten
>>>>>>> net use K: \\SINT-LUTGARDIS\Leerlingen
>>>>>>> net use Z: \\SINT-LUTGARDIS\Zorg
>>>>>>> net use R: \\SINT-LUTGARDIS\Rapporten
>>>>>>>
>>>>>>> cd p:
>>>>>>> IF NOT EXIST "P:\Mijn Documenten\." MD "P:\Mijn Documenten"
>>>>>>> IF NOT EXIST "P:\Desktop\." MD "P:\Desktop"
>>>>>>> regedit /s \\SINT-LUTGARDIS\netlogon\mydoc.reg
>>>>>>> REM thnx to Jim Kronebusch for this one
>>>>>>>
>>>>>>> start /w "GROUPPOL.reg" "\\SINT-LUTGARDIS\netlogon\CPAU.exe" - 
>>>>>>> u   SINT-LUTGARDIS\root -p slsictict -ex "\\SINT-LUTGARDIS 
>>>>>>> \netlogon  \GROUPPOL.bat" -hide
>>>>>>> :END
>>>>>>>
>>>>>>> -------------------
>>>>>>>
>>>>>>> The CPAU app you can find as freeware:
>>>>>>> http://www.joeware.net/win/free/tools/cpau.htm
>>>>>>>
>>>>>>> the mydoc.reg
>>>>>>> REM thnx to Jim Kronebusch for this one
>>>>>>> ---------------------
>>>>>>> REGEDIT4
>>>>>>>
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows NT 
>>>>>>> \CurrentVersion  \Winlogon]
>>>>>>> "ExcludeProfileDirs"="Local Settings;Temporary Internet    
>>>>>>> Files;Geschiedenis;Temp;Mijn Documenten;Bureaublad"
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion   
>>>>>>> \Explorer\Shell Folders]
>>>>>>> "Personal"="P:\\Mijn Documenten"
>>>>>>> "Desktop"="P:\\Desktop"
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion   
>>>>>>> \Explorer\User Shell Folders]
>>>>>>> "Personal"="P:\\Mijn Documenten"
>>>>>>> "Desktop"="P:\\Desktop"
>>>>>>> -------------------
>>>>>>>
>>>>>>>
>>>>>>> and finally the groupbat.bat is simply calling
>>>>>>> ----------
>>>>>>> regedit /s \\SINT-LUTGARDIS\netlogon\GROUPPOL.reg
>>>>>>> ----------
>>>>>>>
>>>>>>> grouppol.reg
>>>>>>> ---------------
>>>>>>> REGEDIT4
>>>>>>>
>>>>>>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion   
>>>>>>> \Policies\Explorer]
>>>>>>> "NoInstrumentation"=dword:00000001
>>>>>>> "NoSimpleStartMenu"=dword:00000001
>>>>>>> "NoWelcomeScreen"=dword:00000001
>>>>>>>
>>>>>>>
>>>>>>> If any of you are having better options, please let me know
>>>>>>> I'd like to learn every day of my life...
>>>>>>> Don't know if this is a very secure way of life, if I do take   
>>>>>>> big  risks please tell me :-)
>>>>>>>
>>>>>>> Kevin
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Op 12-aug-05, om 21:20 heeft Kevin Verheyen het volgende  geschreven:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I found a wonderful source on the internet with all  possible  
>>>>>>>>  userkeys used by windows Group Policy
>>>>>>>>
>>>>>>>> http://winportal.net/support/grouppolicy.html
>>>>>>>>
>>>>>>>> Certainly a wonderful source of info !!
>>>>>>>>
>>>>>>>> Kevin
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> K12OSN mailing list
>>>>>>>> K12OSN at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>> For more info see <http://www.k12os.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> K12OSN mailing list
>>>>>>> K12OSN at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>> For more info see <http://www.k12os.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> K12OSN mailing list
>>>>>> K12OSN at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>> For more info see <http://www.k12os.org>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------
>>>>>    The views expressed here are my own and not   necessarily      
>>>>>           the views of Portsmouth College
>>>>> _______________________________________________
>>>>> K12OSN mailing list
>>>>> K12OSN at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>> For more info see <http://www.k12os.org>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------
>>>    The views expressed here are my own and not  necessarily         
>>>        the views of Portsmouth  College             
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
>>>
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the K12OSN mailing list