[windows2000] Re: Remote Desktop
- From: "Ray Costanzo" <ray@xxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 11:49:27 -0500
Hi Sorin,
Here's what I came up with in a mad dash before I run out to pick up my car
that's been in the shop since Monday. 8D
For testing this, I put everything right in the root of my C: drive. Note
that the file path to your exception list and the file that will hold the
list of users removed is HARD-CODED in RemoteSupport.vbs right at the top.
This could be a path to, say, your netlogon share maybe? (The exception
list, I guess, not the replace list.)
Filename: ExceptionList.txt
Contents:
KYMMERAY\Ray
Kymmeray\Domain Admins
_____
Filename: DisableAdmins.wsf
Contents:
<job>
<script src="RemoteSupport.vbs" language="vbscript" />
<script language="vbscript">
RunThisAtLogon()
</script>
</job>
_____
Filename: EnableAdmins.wsf
Contents:
<job>
<script src="RemoteSupport.vbs" language="vbscript" />
<script language="vbscript">
RunThisAtLogoff()
</script>
</job>
_____
Filename: RemoteSupport.vbs
Contents:
Const EXCEPTION_LIST = "C:\ExceptionList.txt"
Const REPLACE_LIST = "C:\Replace.txt"
Dim fso
Dim shell
Dim exceptionArray
Sub RunThisAtLogon()
Set fso = CreateObject("Scripting.FileSystemObject")
Set shell = CreateObject("WScript.Shell")
If Not fso.FileExists(EXCEPTION_LIST) Then
Msgbox "No exception list exists. All administrators would be removed.
This isn't a good idea, so this script will stop running now."
Exit Sub
End If
exceptionArray = GetList(EXCEPTION_LIST)
RemoveUsers()
Set fso = Nothing
Set shell = Nothing
End Sub
Sub RunThisAtLogoff()
Set fso = CreateObject("Scripting.FileSystemObject")
Set shell = CreateObject("WScript.Shell")
If Not fso.FileExists(EXCEPTION_LIST) Then
Msgbox "No exception list exists. All administrators would be removed.
This isn't a good idea, so this script will stop running now."
Exit Sub
End If
ReplaceUsers()
Set fso = Nothing
Set shell = Nothing
End Sub
Sub RemoveUsers()
Dim command
If fso.FileExists(REPLACE_LIST) Then
command = "%comspec% /c del """ & REPLACE_LIST & """"
shell.Run command, 0, true
End If
command = "%comspec% /c for /f ""tokens=* skip=6"" %a in ('net localgroup
administrators') do (echo %a>>""" & REPLACE_LIST & """)"
shell.Run command, 0, true
'existing admins logged to a text file
Dim fileContents
fileContents = fso.OpenTextFile(REPLACE_LIST).ReadAll
Dim existingAdmins
existingAdmins = Split(fileContents, vbCrLf)
dim i
for i = 0 to UBound(existingAdmins, 1)
If Not IsException(existingAdmins(i)) Then
command = "%comspec% /c net localgroup administrators """ &
existingAdmins(i) & """ /delete"
shell.Run command, 0, True
End If
Next
End Sub
Sub ReplaceUsers()
Dim usersToAdd : usersToAdd = GetList(REPLACE_LIST)
If IsArray(usersToAdd) Then
Dim i, command
For i = 0 To UBound(usersToAdd, 1)
command = "%comspec% /c net localgroup administrators """ & usersToAdd(i)
& """ /add"
shell.Run command, 0, True
Next
End If
End Sub
Function GetList(filepath)
Dim fileContents, return
fileContents = ""
If fso.FileExists(filepath) Then
fileContents = fso.OpenTextFile(filepath, 1).ReadAll
return = Split(fileContents, vbCrLf)
Else
return = Nothing
End If
GetList = return
End Function
Function IsException(loginName)
Dim i
For i = 0 To UBound(exceptionArray, 1)
If UCase(loginName) = UCase(exceptionArray(i)) Then
IsException = True
Exit Function
End If
Next
IsException = False
End Function
Feel free to e-mail me privately (ray@xxxxxxxxxx) if something doesn't work
right!
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu
Sent: Friday, February 15, 2008 10:12 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
<wide grin> Looking forward to the meeting are we? You are so Dilbert
sometimes. ;-)
Thanks in advance though, Ray.
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Costanzo
Sent: Friday, February 15, 2008 3:56 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
I'm write something up after my stupid-ass, waste-of-time daily status
meeting starting in 4 minutes.
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu
Sent: Friday, February 15, 2008 9:46 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
What would a script like that look like? I'm still a scripting-n00b... 8-/
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Costanzo
Sent: Friday, February 15, 2008 3:41 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
How about creating scripts that run at logon and logoff for your maintenance
account. The logon script can loop through the local admins group and
remove everyone (minus some exceptions), and then the logoff script can
re-add them.
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu
Sent: Friday, February 15, 2008 9:02 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
Well, I've been kinda' thinking along the same lines, but the amount of
small applets and specialised software we use is staggering, meaning I'm
reluctant even to start this project. It's easier to just grant a little bit
higher privs'.
It's like it happens on a regular basis, it's just very irritating *when* it
happens and I need to look up this user in person and whatnot, basically I
losing time.
Maybe I should just live with it... 8-}
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sullivan, Glenn
Sent: Friday, February 15, 2008 2:53 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
WinXP only supports one session at a time, so there's no way for both of you
to log on.
But seriously, Jim hit the nail on the head. Make your users regular users,
not power users, and use FileMon and RegMon to determine where the rights
need to be granted for your software.
Then they won't be able to log you off.
The only other thing I can think of would be to temporarily change the Local
System policy for "Log On Locally" to only include admins while you are
patching, but I'm not sure that's practical.
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu
Sent: Friday, February 15, 2008 8:22 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
<grin> It might be thought to be offensive to use such a logon-name, besides
I'm not sure they'd get the hint. 8-)
I can't limit my time, I work the same hours as the other people here.
I get logged off when the user on the remote computer logs on. This is WinXP
and I usually logon to the console, so if the user logs on physically on the
remote computer, I get logged off. The users on the other end are mostly
Power Users as some software we run requires admin-rights and I don't like
to give them that. Power User-privs usually works though, so that's what we
use.
If I didn't logon remotely to the console, could the user logon while I'm
still in a background session?
_____
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig
ThinHelp.com
Sent: Friday, February 15, 2008 2:13 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Remote Desktop
Change your admin login name to KeepyourgrimymittsoffuntilImdone ? Seriously
we limit logon times via AD until just 15 to 20 minutes prior to opening so
that we can do maintenance. You might not be able to do that though. I'm
not sure how the user is logging you off as admin though unless they have
admin privs on their local desktop.
Jim
On Fri, Feb 15, 2008 at 4:27 AM, Sorin Srbu <sorin.srbu@xxxxxxxxxxxxx>
wrote:
Hi,
It happens quite often that when I administer and/or fix remote workstations
using RDP, the user comes back from whereever and logs on despite that the
logon window says somebody else (me) is logged on at this moment with the
result I'm being logged off in the middle of an update or some such.
Is there a way to prevent an admin/domain admin from being logged off from a
rdp-session by a user with lower privs, eg power user?
TIA.
--
BW,
Sorin
# Sorin Srbu
# [Systems Engineer, Sysadmin] Web: http://www.orgfarm.uu.se
<http://www.orgfarm.uu.se/>
# Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3 signals> GSM
# Div of Org Pharm Chem, Mobile: +46 (0)701-718023
# Box 574, Uppsala University, Fax: +46 (0)18-4714482
# SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b
#
# () ASCII ribbon campaign - Against html E-mail
# /\
#
# Harmless tagline follows:
#
# At first there was nothing. Then God said 'Let there be light!' Then there
was still nothing. But you could see it.
--
Jim Kenzig
Microsoft MVP - Terminal Services
http://www.thinhelp.com
Citrix Technology Professional
CEO The Kenzig Group
http://www.kenzig.com
Blog: http://www.techblink.com
Other related posts:
