Timed login on W2kx

[Wabbitwashere]

Hello,

On our campus we going to test a facility to give students access to shared resources like internet. Students can login by using a Thin Client a laptop or a common PC. All thes machines will be operating on Win2000 or XP.

I'm using VBS and I'm looking for a solution to time the login of 'a' user. The ammount of time a student can use this facility will be limited, since we do not have 15000 PC's ;-)

What do I want to do?
During logon a timer has to be started. A student can have X ammount of time do browse the internet or do something else. After, let say, 55 minutes a user will get a popup telling to logoff wthin 5 minutes. After 60 minutes the user will be logged. During a certain amount, some hours, of time the user can not login. Please note that there a more then 1 machine. A user could be simply walking to another system and try to login.

Can anybody help me with this problem? It would be much appreciated.

Regards and many thanks for taking your time reading this,

Wabbitwashere (yes.. from The Netherlands ;-)

 

[markdmac]

Wow that is a tough order.

I think you will need to do something like this.

Have the user logon and have a WSH start a timer. This timer will first check the server for a file (see below). If the file exists, then a messagebox tells them to go away and a forced logoff is executed. This process would naturally be running in the background and taking up resources. :-(

The timer when complete would create a text file on your server with the users name.

Meanwhile, another process would be running on your server, say every five minutes it will execute and look at the file creation date for the user files. If they are old enough it deletes them so the user can log on.

To avoid sneaky students from stopping all of this you would need to do all of the following:

1.)Launch the timer remotely so it is not an interactive process.
2.)Lock the students out of task manager so they can't stop the timer process.
3.)Give the users write only rights to the folder used for the user files.

None of the scripts above would be that hard to create. Let me know if you like the general design of what I have outlined and I can help you with the scripts if you need help.



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mrmovie]

mark pposted something about stopping users from logging on more than once about 3 days ago.
i think i would have all the work done by the server.

i.e. all that happens at logon is that the file is created on the server.

that way nothing will need to be running on the client machine, no exe that the students can kill

The file on the server might contain, client machine name, username and mac/ipaddress.

the server process would, as already suggested, monitor these userlogon file and if one is 55 minutes old then it would do a Net Send message taht the user will be logged off in 5 minutes time. when the file is over 60 minutes old the server will kick the user off the domain/machine

i think

 

[markdmac]

Great idea Mr Movie. My brain went down that timer path and never got out of it.

You are right about keeping stuff off of the local PC. That would be best. (and here I worked on the timer behind the scenes if you ever need it ) Anyway the math for that could be used for the server checking file age I suppose.

The login script would check if the file exists. If it does it checks the age. If the age is too old it displays a message box then logs the user off. Behind the scenes the login script would write the PC name to the file so we know where they are logged in.

The server would only need to care about the file creation time. Once that is old enough, the file gets deleted so they can start over.

Key to this working would be restricting users from logging in at more than one location.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Wabbitwashere]

Hello,

I have read all the replies.Thanks!
On this moment on my location it is around closing time. On monday I will look into your comments!

Hope you all will have a nice wekend!!

 

[Wabbitwashere]

Hello,

Sorry for the delay, we are extremly busy trying to keep 2000 students out...;-)
Many thanks for all your input, this week I had some time to think things over, reading all replies and concluded the following:

I will use 1 central profile. This will be mandatory, policies will prohibet user to use the taskmanager. In fact users will have a blank desktop with a IE link...(that will teach them;-)

When a user logs in a file like user1.log, user2.log will be written somewhere. (In stead of the %user1% the name of the user will be used)

If the timestamp of the file is older then X time the file will be deleted and a new one will be created. If none exists a new file will be created and if timestamp is jounger then X time login will be refused.

I now have a empty file with a timestamp => I know which user and on what time she/he logged in. For fun login information could be written to a central file.

Somehow a timer has to be started, and count for Y time. If Y-300 time is passed the user will get a notification telling only 5 minutes are left. At time Y time a notification will tell the user he/she will be logged of and the user will be logged off.

Problem: how to start a timer process on the clientside?

If anybody like to shoot.... Again many thanks for your input.

Regards,

 

[markdmac]

Rather than have the timer run on the workstation, you should have it run on the server as a scheduled task. That way a user can't work on one pc. Log off to stop the timer and log in again or at another PC to start a new time.

1. Set it so that all users can only log in once. Refer to MSKB 237282 for details at

http://support.microsoft.com/?id=237282

2. I'd have the client create a file on the server. The file should have the name of the user and as text within it should hold the computer name they are currently logged in at. at logon the workstation checks the file. If it is within the time frame of allowed use they EDIT the file to replace the machine name within it. If the value within it currently is LoggOff then a message box is popped up advising they can't log on right now and a logoff is initiated.

3. Have a scheduled task on the server that checks the file creation date/time for your user files. If a file has just expired it writes the value of LogOff to the file then sends a message to the user and logs them off. If the value of the file is LogOff and they have waited long enough, then the server deletes the file. I'd run this task every 1 to 5 minutes or so. It shouldn't take up much processor utilization.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Wabbitwashere]

Thanks for your remarks.

However my boss does not want to setup a SQL server or place additional components on clients. Most clients will be Thin Clients, Chippc's and so on.

I have found a nice tool called Winoff (

http://www.ampsoft.net).

After starting it will start a local timer (yep ;-) and after some time the user will be logged off. Does anybody knows how to start a exe from VBS? (BTW this exe will be placed in the script folder of the policie and will be replicated to all the DC's)

Keeps the problem of letting the user not log in more then once on the same moment, I think I do have the solution:

In the file that wil be created when a user logs in the time will be written. The amount of time that will be available for the user is X. If a user logs in a check will be done if the file exists. If it does we need to look into it to see the logon time. If this is older than the 'login time' + (X+Y) login will be allowed (Y= a waitperiod). This means a user can not log in more then once on the same moment... (is it??????)

 

[mrmovie]

surely your users want to do more than use the internet!! please dont tell me uni's have become little more than cyber cafes!!!!

look, if you want it implemented get me a free pass to the Uni Bop for a month and consider it done.

dont worry too much about sql and additional components on the server side.

take the advice you have been given and have a process on the server.
all this process needs to be is a vbscript file which runs constantly.
what does you boss know about these things? does he know what is the best approach??? maybe he does


anyway you have just said the users will edit the file on the server....makes it pretty easy to hack the server if the users have rights to edit file on it!!!
anyway you sound like you have an interesting project to get stuck into. take it a bit at a time. like start with logging the users off automatically. then consider how you are going to start this auto log off etc

 

[mrmovie]

sorry to get round the users editing files iwould suggest

\\server\dump

this is where the users have write\create access. this is where, when they logon, they create the stamp file.

you then have a vbscript/exe running on the server which checks this \\server\dump folder and copies the files to the actual monitoring folder
\\server\monitoring.

that way the users can request things to happen with the \\server\dump but the actual basis for action is in a seperate area which only the 'admin' can view\modify

sorry im thinking out loud, im sure i have some work of my own to do ;-)

 

[mrmovie]

hmm sorry this is interesting !!!

LOGGING
i would start with simply logging what is actually happening. i.e. log when and who logs on to which client machine and what time they log off.

MONITORING
based on the information in LOGGING you should be able to monitor what is happening.

ACTION
based on the MONITORING you should be able to ACT. to start off with simply display a message to the user NET SEND "you have been using the internet for 60 mins please log off". You dont actually have to force a log off just ask the user nicely, log the fact that you have asked them nicely

FORCE
once the above is working you can decide if you want or need to FORCE them to log off. perhaps you could taylor you logs to allow you to pick up on persistant offenders and only force those persistant offends to log off.

the most important design stage for you is the LOGGING and MONITORING

 

[Wabbitwashere]

Well this is startig to be an interresting discussion!

First let me clear out WHY we only NEED a webbrowser..: Users will be able to connect to a Citrix Portal (Nfuse) if they want to run applications. Please note: most of the TC's will be Chippc's etc.

A started client PC will be controlled by policies and a limited profile. No access to will be given to an explorer,taskmanager or whatever. So client PC's will be domainmembers.

I have come up with a first little (TEST) solution for the timed login:

=====>> start snippet:

PCName=Createobject("Wscript.network").Computername
PCUserName=Createobject("Wscript.network").Username
PCIdentity=ucase(left(PCName,2))
PCUseTime=30
PCWarningPeriod=15

select case PCIdentity
case "TC"
Textline1 = "Toegang tot het netwerk van de Vrije Universiteit van" &vbCrlf
Textline2 = "Amsterdam is vrij maar wel gebonden aan restricties"&vbCrlf
Textline3 = "en kan worden GEMONITORD!"
createobject("wscript.shell").popup Textline1 & Textline2 & Textline3, 10, PCUserName & " welkom op machine: " & PCName , 64
WScript.Sleep PCUseTime * 1000
createobject("wscript.shell").popup "Over enkele minuten wordt u uitgelogd", 10, "Uw tijd is om.." , 64
WScript.Sleep PCWarningPeriod * 1000
createobject("wscript.shell").popup "De verbinding wordt verbroken", 10, "Tot ziens.." , 64
createobject("wscript.shell").run "\\servername\sysvol\logoff"
End select

<< ===== end snippet
On the client PC the WSH need to be installed whih is the case with all the used or intended to be used clients. The logoff.exe idea is taken from the NT4 res kit. The executable is the one from XP.

In practice there is nothing a user can do (now) to prevent be logged off when the timeslot has expired. First tests on severall Thin Clients has shown this part works.

Now I need to prevent a user from being logged in more then one time and I need a solution for the user timeout. A user can use a TC more times a day, however between each session a period of time the user will not be granted access.

Again thank you all for your input!

 

[markdmac]

Stopping the user from logging in more than once is easy. See the link in my post above.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mrmovie]

i dont like the use of

createobject("wscript.shell").popup "blaa"
createobject("wscript.shell").run

i am not sure about the impact exactly but i would have thought it might prove costly.
i would advise creating a WshShell object once and then use that.

Set WshShell = CreateObject("Wscript.Shell")

then
WshShell.Run
WshShell.Popup

if nothing else it will make things easier to read

 

[Wabbitwashere]

Hi,

MrMovie: Thanks for pointing out my 'sloppy programming' ;-) please note that I used all the examples I could get mij hands on, for sure I welcome all advice on best pratices.

MarkDMac: we will not use the Microsoft suggestion... On this moment i'm working on an idea described in one of my previous posts. However assitance would be welcome since I'm not a VBS programmer.

I will post a example of what i'm trying to do next week.

Regards,