none
Setting "Global Computer Settings" via a script RRS feed

  • Question

  • What is the method to configure the Global Computer settings such as the Computer Restrictions and Software Updates schedule via a script or registry?

     

     

    Tuesday, August 14, 2007 3:09 PM

Answers

  • Hi Dabell,

     

    Windows SteadyState includes a Group Policy template called SCTSettings.adm in the ADM folder commonly located in C:\Program Files\Windows SteadyState. This template reproduces most of the settings included in Windows SteadyState Feature Restrictions tab of the User Settings dialog box, and can be used to deploy restrictions to users. Related information can be found in SteadyState handbook:

     

    Windows SteadyState Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D64AF114-336C-4418-BEB7-E074E813B498&displaylang=en

     

     

    Most of the Computer Restriction settings can be configured via group policy or registry. You can configure logon script to import the registry values to deploy them.

    ---------------------

    1. Do not display user names in the Log On to Windows dialog box.

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name”

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName]

     

    2. Prevent locked or roaming user profiles that cannot be found on the computer from logging on.

    “Computer Configuration\User Settings\Administrative Templates\System\User Profiles\Log users off when roaming profile fails”

    [HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\ProfileErrorAction]

     

    3. Do not cache copies of locked or roaming user profiles for users who have previously logged on to this computer

    [HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\DeleteRoamingCache]

     

    4. Remove the Administrator user name from the Welcome screen

    [HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator]

     

    5. Remove the Shut Down and Turn Off options from the Log On to Windows dialog box and the Welcome screen

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon]

     

    6. Do not allow Windows to compute and store passwords using LAN Manager Hash values

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not store LAN Manager hash value on next password change”

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nolmhash]

     

    7. Do not store user names or passwords used to log on Windows Live ID or the domain (requires restart of the computer)

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network Authentication”

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Disabledomaincreds]

     

    8.  Prevent users from creating folders and files on drive c:\

     

    9. Prevent users from opening Microsoft Office documents from within Internet Explorer

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.5\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSProject.Project.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.6\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\BrowserFlags]

     

    10. Prevent write access to USB storage devices (requires restart of the computer)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect]

     

    11. Turn on the Welcome screen

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType] 

     

     

    Windows SteadyState currently detects and includes scripts for updating the following security products:

     

    §      Computer Associates eTrust 7.0

    §      McAfee VirusScan

    §      Windows Defender

    §      TrendMicro 7.0

     

    If you would like to update other security products with scripts, as this forum doesn’t support custom script development, you will need to write your own custom update script. You can refer to Terence and Jan’s suggestions in the following threads:

     

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1865432&SiteID=69

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1811683&SiteID=69

     

    Best Regards,

     

     

    Thursday, August 16, 2007 10:19 AM

All replies

  • Hi Dabell,

     

    Windows SteadyState includes a Group Policy template called SCTSettings.adm in the ADM folder commonly located in C:\Program Files\Windows SteadyState. This template reproduces most of the settings included in Windows SteadyState Feature Restrictions tab of the User Settings dialog box, and can be used to deploy restrictions to users. Related information can be found in SteadyState handbook:

     

    Windows SteadyState Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D64AF114-336C-4418-BEB7-E074E813B498&displaylang=en

     

     

    Most of the Computer Restriction settings can be configured via group policy or registry. You can configure logon script to import the registry values to deploy them.

    ---------------------

    1. Do not display user names in the Log On to Windows dialog box.

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name”

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName]

     

    2. Prevent locked or roaming user profiles that cannot be found on the computer from logging on.

    “Computer Configuration\User Settings\Administrative Templates\System\User Profiles\Log users off when roaming profile fails”

    [HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\ProfileErrorAction]

     

    3. Do not cache copies of locked or roaming user profiles for users who have previously logged on to this computer

    [HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\DeleteRoamingCache]

     

    4. Remove the Administrator user name from the Welcome screen

    [HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator]

     

    5. Remove the Shut Down and Turn Off options from the Log On to Windows dialog box and the Welcome screen

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon]

     

    6. Do not allow Windows to compute and store passwords using LAN Manager Hash values

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not store LAN Manager hash value on next password change”

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nolmhash]

     

    7. Do not store user names or passwords used to log on Windows Live ID or the domain (requires restart of the computer)

    “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network Authentication”

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Disabledomaincreds]

     

    8.  Prevent users from creating folders and files on drive c:\

     

    9. Prevent users from opening Microsoft Office documents from within Internet Explorer

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.5\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSProject.Project.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.6\BrowserFlags]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\BrowserFlags]

     

    10. Prevent write access to USB storage devices (requires restart of the computer)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect]

     

    11. Turn on the Welcome screen

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType] 

     

     

    Windows SteadyState currently detects and includes scripts for updating the following security products:

     

    §      Computer Associates eTrust 7.0

    §      McAfee VirusScan

    §      Windows Defender

    §      TrendMicro 7.0

     

    If you would like to update other security products with scripts, as this forum doesn’t support custom script development, you will need to write your own custom update script. You can refer to Terence and Jan’s suggestions in the following threads:

     

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1865432&SiteID=69

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1811683&SiteID=69

     

    Best Regards,

     

     

    Thursday, August 16, 2007 10:19 AM
  • The items I am looking for are the #8 on the list:

     - prevent users from creating folders and files on the C: drive

     

    as well the registry/steadystate settings to set the updates to use a custom script without having to open the SteadyState console.

     

    Darcy

     

    Monday, August 27, 2007 5:20 PM
  • Hi Darcy,

     

    “Prevent users from creating folders and files on the C: drive”

    --------------

    This feature is realized through change the drive operation rights of the user accounts. Thus it cannot be applied through registry or group policy.

     

    When this feature is configured, the following drive operation rights were removed from Users group:

     

    Create Files / Write Data

    Create Folders / Append Data

     

    You can track the changes through the following steps:

    ---------------

    1. Open “My Computer”, right click drive C and then choose Properties.

    2. Select the Security tab. Select Users (<computer name>\Users) and click Advanced.

    3. Select Users (<computer name>\Users) and click Edit.

    4. Check the permission changes.

     

    The permission settings can be set via cacls or xcalcs tool.  You may create a batch file including the calcs or xcacls command and then deploy it. .

     

    How to Use CACLS.EXE in a Batch File

    http://support.microsoft.com/kb/135268/en-us

     

    HOW TO: Use Xcacls.exe to modify NTFS permissions

    http://support.microsoft.com/kb/318754

     

     

    Update script

    --------------

    There is no specific registry or SteadyState requirement to run a custom script. You can load your script with the following steps:

     

    1. Open SteadyState, click “Schedule Software Updates”

    2. Select “Use Windows SteadyState to automatically download and install updates”

    3. Select the check box of “Custom Updates”. Click the Browse button to load your script.

     

    When the script is loaded, it will run automatically without opening SteadyState console.

     

    Best Regards,

    Tuesday, August 28, 2007 9:54 AM
  •  

    Hello Shawn

     

    I am hoping you can help me.

     

    I have downloaded Windows Steady State and want to use it to control a retail computer environment.

     

    I have 2 domains, 1) Dull 2) Glow

     

    I have the retail worker "Alex" on Dull as this is connected to our server.

     

    The Administrator seems to be on the Glow domain.

     

    When I downloaded WSS, the only user detected is the user on Glow.

     

    How can I add Alex so that WSS can see him?

     

     

    I have tried to configure XP using Local and Group Security - but changes made there seem to affect every user (including admin).

     

    What I really want to do is restrict Alex's computer use to only a couple of programs.

     

    Grateful for any help you can offer.

    Regards

    Sol 007

     

     

     

    Friday, July 4, 2008 6:38 AM
  • Use this e.g in a logon scrpit.

     

    This will remove Administartor from the login screen ....

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Administrator /t REG_DWORD /d 0 /f

    Wednesday, July 30, 2008 10:55 AM