How can I create a user account which can logon to a domain and only be able to let the logon script run (netlogon) and then log out automatically? This user needs to be as restricted as possible.
What are the possibilities?
Asked
Active
Viewed 62 times
1 Answers
0
You could replace the user's default shell (explorer.exe) with your script. In an AD domain you just set this registry key with Group Policy for the OU the user belongs to.
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”C:\\Path\\To\\script.cmd”
It won't be a logon script anymore, but as soon as the script ends the user will be logged out. (Or you may need to logoff at the end of your script.)
There's no much need to limit privileges as the user hasn't any explorer.exe provided interface to launch other programs. However, in order to prevent the user from launching Task Manager from Ctrl-Alt-Delete (and other processes from it), revise:
User Configuration > Policies > Administrative Templates > System > Ctrl+Alt+Del Options
Set at least Remove Task Manager to Enable.
Esa Jokinen
- 46,944
- 3
- 83
- 129
-
Will try this. Looks like a very nice solution, thanks in advance. – WatskeBart Jun 09 '17 at 17:07
-
Sidenote, I had to add the command `logoff` at the end of the script, because it didn't logoff automatically. – WatskeBart Jun 09 '17 at 17:44
-
Good addition. I also found one possible hole in here and added both to my answer. – Esa Jokinen Jun 09 '17 at 18:12
-
1Thanks for the tip. I already have a GPO which allows a task manager but disables the creation of new tasks. – WatskeBart Jun 09 '17 at 21:04
-
Use `shutdown /l /f` as log off command, as it will force a log off even when the machine is locked. – WatskeBart Jun 12 '17 at 10:24