Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Auto login to domain controlled by active directory
- Thread starter GussyBoy
- Start date
monsterjta
IS-IT--Management
The "auto logon" registry keys is in HKLM hive, which means it's a computer policy. As you know, implementing auto logon would introduce a serious security breach. Also, this cannot be applied on a per-user basis.
However...
First you would need to create a computer startup script, modifying the appropriate registry keys on each machine. There is no native policy for this, understandably. Then, you would need to either:
1. Move these computers into an OU and link the GPO to said OU.
2. Create a security group, adding these computer to the group. Configure security filtering on the GPO, applying the policy only to that security group, and linking it anywhere above where the security group resides.
On next startup, the computer will recieve the policy and configure the registry for auto logon as desired. Keep in mind that there can only be ONE user account specified for auto logon. Another security no-no.
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
However...
First you would need to create a computer startup script, modifying the appropriate registry keys on each machine. There is no native policy for this, understandably. Then, you would need to either:
1. Move these computers into an OU and link the GPO to said OU.
2. Create a security group, adding these computer to the group. Configure security filtering on the GPO, applying the policy only to that security group, and linking it anywhere above where the security group resides.
On next startup, the computer will recieve the policy and configure the registry for auto logon as desired. Keep in mind that there can only be ONE user account specified for auto logon. Another security no-no.
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
- Thread starter
- #3
Thanks so much for your help. I'm aware of the security risks but I intend to lock down other aspects of the OS which could help in security.
I found this and was told to add it to a .reg file...
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]
\"DefaultDomainName\"=\"DOMAIN\"
\"DefaultUserName\"=\"USERNAME\"
\"DisableCAD\"=dword:00000001
\"AutoAdminLogon\"=\"1\"
\"ForceAutoLogon\"=\"1\"
\"DefaultPassword\"=\"PASSWORD\"
Would this work in the script? If not, how can I work it into a startup script? Thanks again for your help.
I found this and was told to add it to a .reg file...
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]
\"DefaultDomainName\"=\"DOMAIN\"
\"DefaultUserName\"=\"USERNAME\"
\"DisableCAD\"=dword:00000001
\"AutoAdminLogon\"=\"1\"
\"ForceAutoLogon\"=\"1\"
\"DefaultPassword\"=\"PASSWORD\"
Would this work in the script? If not, how can I work it into a startup script? Thanks again for your help.
- Thread starter
- #4
monsterjta
IS-IT--Management
Here is the script that will do what you need. Just create a new policy, as stated above, and add this to the StartUp Scripts. You can remove all other ADM's to streamline the GPO, as the StartUp Scripts do not require an ADM.
It's up to you if you want to add your users/group to the Local Administators group on each machine. As far as this script goes or anything else to work, it's not necessary.
Be careful to only apply this policy only to the desired targets, or else you'll have some clean up duties to perform on Monday morning. Remember that this "tatoos" the registry. So, in order to remove this policy you must first disable the registry setting by modifying the appropriate values. THEN, you can remove the policy.
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
Code:
'==========================================
'VBScript: enableAutoLogon.vbs =
'This VBScript updates the registry to =
'enable auto-logon. Modify the three =
'strings in brackets, under "Define =
'keys and values". =
'Courtest of Jonathan Almquist =
'monsterjta @ tek-tips =
'==========================================
Option Explicit
''''''''''''''
'Declarations'
''''''''''''''
Dim objShell
Dim RegLocAutoLogon
Dim keyDefaultDomainName
Dim valDefaultDomainName
Dim keyDefaultUserName
Dim valDefaultUserName
Dim keyDisableCAD
Dim valDisableCAD
Dim keyAutoAdminLogon
Dim valAutoAdminLogon
Dim keyForceAutoLogon
Dim valForceAutoLogon
Dim keyDefaultPassword
Dim valDefaultPassword
''''''''''''''''''''''''
'Define keys and values'
''''''''''''''''''''''''
RegLocAutoLogon = "HKLM\Software\Microsoft\" & _
"Windows NT\CurrentVersion\Winlogon\"
keyDefaultDomainName = "DefaultDomainName"
valDefaultDomainName = "[your domain name here]"
keyDefaultUserName = "DefaultUserName"
valDefaultUserName = "[your default user name here]"
keyDisableCAD = "DisableCAD"
valDisableCAD = 1
keyAutoAdminLogon = "AutoAdminLogon"
valAutoAdminLogon = "1"
keyForceAutoLogon = "ForceAutoLogon"
valForceAutoLogon = "1"
keyDefaultPassword = "DefaultPassword"
valDefaultPassword = "[your password here]"
Set objShell = CreateObject("WScript.Shell")
objShell.RegWrite RegLocAutoLogon & _
keyDefaultDomainName, 1, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDefaultDomainName, valDefaultDomainName, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDefaultUserName, 1, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDefaultUserName, valDefaultUserName, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDisableCAD, 1, "REG_DWORD"
objShell.RegWrite RegLocAutoLogon & _
keyDisableCAD, valDisableCAD, "REG_DWORD"
objShell.RegWrite RegLocAutoLogon & _
keyAutoAdminLogon, 1, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyAutoAdminLogon, valAutoAdminLogon, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyForceAutoLogon, 1, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyForceAutoLogon, valForceAutoLogon, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDefaultPassword, 1, "REG_SZ"
objShell.RegWrite RegLocAutoLogon & _
keyDefaultPassword, valDefaultPassword, "REG_SZ"It's up to you if you want to add your users/group to the Local Administators group on each machine. As far as this script goes or anything else to work, it's not necessary.
Be careful to only apply this policy only to the desired targets, or else you'll have some clean up duties to perform on Monday morning. Remember that this "tatoos" the registry. So, in order to remove this policy you must first disable the registry setting by modifying the appropriate values. THEN, you can remove the policy.
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
Just to offer a competing viewpoint on the script but hopefully not get into a my kung fu is better than your kung fu debate:
The big thing that I'm doing here is that I am configuring the system to immediately lock the screen after the AutoLogin to hopefully mitigate the security risks associated with an Auto Login.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Code:
'==========================================================================
'
' NAME: AutoLoginConfig.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.TheSpidersParlor.com[/URL]
' COPYRIGHT (c) 2005 All Rights Reserved
' DATE : 2/18/2006
'
' COMMENT: Configures AutoLogin and allows screen lock.
' USAGE: Login as the ID to be set for auto login and execute this script.
'
'==========================================================================
on error resume next
Dim WshNetwork, strDomainName, path
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set WSHShell = Wscript.CreateObject("WScript.Shell")
path = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"
strDomainName = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
AdminPassword = InputBox("Enter Admin Password","Password?")
WSHShell.RegWrite path & "AutoAdminLogon","1","REG_DWORD"
WSHShell.RegWrite path & "DefaultUserName",strUsername,"REG_SZ"
WSHShell.RegWrite path & "DefaultDomainName",strDomain,"REG_SZ"
WSHShell.RegWrite path & "DefaultPassword",AdminPassword,"REG_SZ"
If Msgbox("Do you wish to lock the screen after startup?", vbYesNo, "Security Risk!") = vbYes Then
Set fso = CreateObject("Scripting.FileSystemObject")
strStartup = WSHShell.SpecialFolders("Startup")
Set ts = fso.CreateTextFile(strStartup & "\lock.txt", ForWriting)
ScriptCode = "Set WSHShell = Wscript.CreateObject("& Chr(34) & "WScript.Shell" & Chr(34) & ")" & vbCrLf
ScriptCode = ScriptCode & "WSHShell.Run("& Chr(34) & "rundll32.exe user32.dll, LockWorkstation" & Chr(34) & ")"
ts.write ScriptCode
ts.close
WScript.Sleep 1000
fso.MoveFile (strStartup & "\lock.txt"),(strStartup & "\lock.vbs")
End If
If err then
msgbox "Error Encountered"
Else
msgbox "Auto Login Configured Successfully"
End ifThe big thing that I'm doing here is that I am configuring the system to immediately lock the screen after the AutoLogin to hopefully mitigate the security risks associated with an Auto Login.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #7
- Thread starter
- #8
monsterjta
IS-IT--Management
Nice script, Markdmac. However, this wouldn't deploy very well in a policy-based startup script, as a user would need to execute at each workstation...???
I didn't realize you knew kung fu! LOL
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
I didn't realize you knew kung fu! LOL
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
monsterjta
IS-IT--Management
No. This is the key that needs to be set in order to enable the auto-logon. The strings in the brackets (within the script) need to be changed to match your environment (domain, username, password).
Markdmac's script auto populates the domain key. You could incorporate that into my script, if you like.
I hope you find this post helpful,
Jonathan Almquist
Minneapolis, MN
Hi Jonathan,
You are correct, my script was written for individual machine setup but could easily be modified for inclusion in a GPO as a startup script for a group of workstations.
As I stated above, the big thing I wanted to point out here is the locking of the workstation after the auto login which I feel a requirement.
Regarding the kung fu... I actually teach Japanese Swordsmanship.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
You are correct, my script was written for individual machine setup but could easily be modified for inclusion in a GPO as a startup script for a group of workstations.
As I stated above, the big thing I wanted to point out here is the locking of the workstation after the auto login which I feel a requirement.
Regarding the kung fu... I actually teach Japanese Swordsmanship.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #12
All of the code that has been posted is vbscript. You must rename the file to have a VBS extension.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Thread starter
- #14
One more question.....as opposed to having the auto login for the PC's in this OU, can I have a script set a default login user with a BLANK password (that cannot be changed by the user nor expire)? I'd want the user to only have to click OK to login. At the same time, I want the password complexity requirements enforced for the rest of the domain. Is that possible?
You can only have one password policy and each user must meet the requirements.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
- Status
Similar threads
- Locked
- Question