Windows NT - Miscellaneous This page is still under construction, but perhaps you will find something useful here already. ------------------------------------------------------------------------ Captive user account Somebody asked for the possibility to let Windows NT users run only one program and logout automatically if the program is closed. Here is my suggestion: 1. Create a batch command with only these two lines: ---- Theprogramwhichtheusermayrun ---- Logout 2. Create a mandatory profile for this user. 3. Remove all groups from this profile except the autostart group. 4. In this group, put the file created in step one. The program Logout.exe does nothing except terminating the users Windows session. It has no options and no online help, but it will give running programs the possibility to ask the user, if he wants to save changed files. ------------------------------------------------------------------------ Can files be hidden from the Administrator? OK, I know he can take ownership, but I will see this later! Wrong. The Administrator can usually take the rights he wants. So he can give itself backup operator rights and then backup the directories he wants to read. Next step is to restore to another directory, change permissions and use the files the way he wants. You never will trace this, because you cannot see it on the original files! ------------------------------------------------------------------------ How do I get the WinExit Screensaver (NT 3.51) on my Intel machine to work? First, use the version that comes with Reskit 3.50. The version in Reskit 3.51 is for alpha machines. With the right version, do the following: 1. Log on as local administrator and install it. It will create a file contol.ini in %systemroot%. The reason you must login as administrator is users should have only RX rights in this directory. 2. Give users "set key" and "create subkey" rights in HKEY_LOCAL_MACHINE/Software/Microsoft/WindowsNT/CurrentVersion /IniFileMapping/control.ini ------------------------------------------------------------------------ What do you have to do to give users the ability to change their own time on their machines, so when they run the login script it will actually set their time rather than error out saying they don't have permissions to do so? There is no need for this permission. Just schedule a job on all your NT machines like at 12:00 /every:mo "net time \\timeserver /set /yes" where timeserver is the machine with the most precise time. ------------------------------------------------------------------------ I would like to allow anyone on our network to add themselves to the NT domain. I have given the "Add Workstation to Domain" right to all domain users and even "Everyone". But it doesn't work - only people in the administrator group can add computers. I consider this very useful behavior. Giving this right to somebody is the same as giving this person the right to try to hack all accounts. He only needs to install NT Server (may be on a Laptop he brings with from home) as a BDC. So he will have the user database on his machine. After disconnecting the machine from the net, and after setting the policy to not locking out accounts after invalid logon attempts, the person could try to find a weak password. ------------------------------------------------------------------------ What user rights should I give %Systemroot% ? There is no security concept in Microsofts design of NT and its applications. So you can't have a secure NT system and fully working user account on the same machine on the same time :-( For instance, you need to give users write access to %Systemroot% if they are running Winword 7.0 - it creates a file username.acl in this directory. It is a pitty that the designers of Winword never heard of homedirectories. Microsoft does not provide information about which rights are required for which directory if you buy NT. I worked out the following procedure of giving user rights in %systemroot%. It does not apply for the subdirectories! 1. make all files RX 2. make *.ini RWXD 3. make the directory (no files) (RWXD) (not specified) for users 4. make the directory (no files) (RWXD) (RWXD) for owners Points 3 and 4 make files created in %systemroot% (for instance username.acl) unaccessible for other users, but of course, an idiot user could always delete *.ini I have this user permissions set in the system32 dir and it seems to work: dir: (RX) (RX) files: RX exception: CMOS.RAM needs RW, otherwise users will get an error message if they start a DOS shell. If you did buy the Resource Kit, you can have a look at the file c2ntfacl.inf. It does give an example for a secure installation, but it might be too restrictive in some cases. ------------------------------------------------------------------------ Does Anyone have any idea how to setup permissions for user directories such that the user will only see his/her directory and not see all other user directories? This works for me: 1. Share every users home dir as username$ - this does hide the share. 2. On logon, connect \\server\username$ to drive Z: - this is now every users home drive. 3. Give only Admins and system full access to your \users directory. Now the only way every user can access his homedir is to go to Z:, no way to go directly to it. ------------------------------------------------------------------------ Go to my Windows NT main page Go to my Homepage. This page was last updated 16. April 1997 Mail me (fh@rcs.urz.tu-dresden.de) if you want.