Best approach to a dialog at login

[txjump]

Hello,

I'm not a VBScripter so I'm asking for some input on how best to display a custom dialog at login.

We have a script that runs whenever you log onto a network machine. I need to display some text and ask for acceptance the first time someone logs in. From what I've read I need to create a COM object. Is this true? Or is there an option of creating an exe and running the exe if and only if this is the first login? If so, what do you consider the best approach?

Thanks in advance,
txjump

 

[markdmac]

Txjump, are you looking to add a legal disclaimer?

I hope you find this post helpful.

Regards,

Mark

 

[txjump]

Something like that. I was told what its supposed to look like but I've not been given the text yet.

 

[markdmac]

The registry provides such a mechanism and can be configred via GPO.

I hope you find this post helpful.

Regards,

Mark

 

[txjump]

okay...

is this some sort of function i can call to get a dialog to show up or is this text in the command window or ... html ... or ?

can you point me in a more specific direction or to a link with documentation?

thanks,
txjump

 

[markdmac]

Prior to login the user will be presented with a popup that they must click Accept on. If they click cancel then they can't login.

Take a look at this KB

http://support.microsoft.com/kb/101063/en-us

to manually set this up on a single PC.

You can configure this in a GPO to be applied to all workstations in your domain as well. In the GPO, move to Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options and set the 'Message text for users attempting to log on' and 'Message title for users attempting to log on'.


I hope you find this post helpful.

Regards,

Mark

 

[txjump]

hey mark,

thanks! thats definately the idea. the only requirement i can see that is left to address is that its only supposed to happen the first time they login (new user).

from what it looks like, that cant be done with this because it happens before it even knows the users id. ive asked the guy who requested this from me to let me know if thats a strict requirement.

in light of that...any other ideas as to how i should accomplish this? hehehehe. i really dont want to go the route of html and activeX so ... either com or plain ole exe...?...

thanks,
txjump

 

[markdmac]

Well, this is really the industry standard so I'd say to be agressive with pushing that as a solution.

You could do it some other ways like look for a custom reg key in the users registry path and if not there do a message box then write the key, and if there exit.

Thing with this is the user has to first login to see that so they gain access to the network without really agreeing to anything.

If you don't like the fact that this requires an extra click, you can also customize the Windows login banner. I like this as a solution best. Here is a script to quickly set it.

on error resume next
 
Dim path
Set WSHShell = Wscript.CreateObject("WScript.Shell")
Path= "HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\"
WSHShell.RegWrite path & "LogonPrompt","Illegal use of this system will result in severe beatings!","REG_SZ"

I hope you find this post helpful.

Regards,

Mark

 

[markdmac]

Correction, please note that in the above code there is an unwanted space before "CurrentVersion".

Here is a corrected version of the same script with a more serious take on the legal warning:

'==========================================================================
'
' NAME: SetLogonPrompt.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.TheSpidersParlor.com[/URL]
' COPYWRITE (c) 2005 All Rights Reserved
' DATE  : 4/25/2006
'
' COMMENT: 
'
'==========================================================================

On Error Resume Next
 
Dim Path
Set WSHShell = Wscript.CreateObject("WScript.Shell")
Path= "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"
WSHShell.RegWrite path & "LogonPrompt","Stop! This system is for authorized company business.  Failure to comply with company policies for online use may result in disciplinary action or termination.","REG_SZ"
If err then
	msgbox "Error Encountered"
Else
	msgbox "Logon Prompt Setup Sucessful"
End if

I hope you find this post helpful.

Regards,

Mark

 

[txjump]

Hey Mark,

I appreciate your help but this won't work. I've been told that HR wants it once and only for new hires.

I work for a global company with over 20 offices worldwide. I am a lowly developer in the basement who has no pull.

~txjump

 

[markdmac]

OK, well you need to provide some more details on what it is that they want to have happen and you may need to push back on them and just let them know that not EVERYTHING is technically possible.

1.Need to understand what the warning is. Is it a legal disclaimer?
2.Do they want it executed BEFORE LOGIN? ie must agree before access to the system is granted?
3.If the user says no should they not be granted access?
4.Do you need to record the response?
5.Is it OK if the user can just cancel the windows without reading it?

The OS has been designed for this, but there are limitations. You may have to push back to HR and just let them know that they need to alter their process. Get your manager involved. Let them know we IT folks do work wonders but we can't get blood from a stone.

I hope you find this post helpful.

Regards,

Mark

 

[txjump]

Hey Mark,

I've confirmed all the answers to your questions...

1. It's a security policy they must agree to.
2. Yes, before login. Originally he said it was supposed to be part of the login script.
3. Should not be granted access
4. It would be nice to record it in an event log
5. No, canceling is not an option.

So, whatcha think?

Thanks,
~txjump

 

[markdmac]

You have zero options then besides what I have already presented.

There is no way for the system to determine who the user is, if they have gotten the login before etc. You would have to show the policy every time.

Going this route you know for certain that they were presented the information because they can't login without accepting it.

I hope you find this post helpful.

Regards,

Mark

 

[dmcse]

You have a GPO option. Create an OU for the users who need the disclaimer, as you do not want them all to get it. Create a GPO and write the text on the security for user logins... Text for interactive login. This should do the trick

Hope this helps

DMCSE

 

[markdmac]

dmcse, that is incorrect. That setting is a COMPUTER setting in a GPO and is applied to computer accounts, not user accounts. Moving user into the OU would do nothing.

There is no user logged in yet at the point were the Interactive Message is displayed and there would be no way for the PC to magically know that a user that has already logged in was the one who pressed Control+Alt+Del.

I hope you find this post helpful.

Regards,

Mark

 

[mrmovie]

we did something similar on request from HR, it was a promotion thing, consisted on an exe file created via VB6 which had all the pretty info and interaction. the logonscript simply wrote a registry key after it had been run and the existance of this registry key was checked at the start of the script so that it would only run once

 

[markdmac]

MrMovie,

That sounds like a good solution however doesn't satisfy the need to have it run before login. Were your users able to cancel it? If they could close the box without clicking accept which i suspect they could, then that too disqualifies it from the requirements.

I hope you find this post helpful.

Regards,

Mark

 

[txjump]

im going to assume that the user has to put in the user id and password. but is there a point when verification happens but the user has not yet be granted access to the machine?

thats when this needs to happen.

 

[markdmac]

This will happen before the user enters their info. The verification is that they have clicked OK to be granted access to the login boxes.

I hope you find this post helpful.

Regards,

Mark

 

[barny2006]

can they just create an empty text file and at logon, check for existence of it? if it exists, not to display the security msg, if it doesn't exist, display security msg.