Thx a bunch Ray! I'll try it out during the day. Hope your car was fine and that the bill wasn't too high. 8-) _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Costanzo Sent: Friday, February 15, 2008 5:49 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop Hi Sorin, Here's what I came up with in a mad dash before I run out to pick up my car that's been in the shop since Monday. 8D For testing this, I put everything right in the root of my C: drive. Note that the file path to your exception list and the file that will hold the list of users removed is HARD-CODED in RemoteSupport.vbs right at the top. This could be a path to, say, your netlogon share maybe? (The exception list, I guess, not the replace list.) Filename: ExceptionList.txt Contents: KYMMERAY\Ray Kymmeray\Domain Admins _____ Filename: DisableAdmins.wsf Contents: <job> <script src="RemoteSupport.vbs" language="vbscript" /> <script language="vbscript"> RunThisAtLogon() </script> </job> _____ Filename: EnableAdmins.wsf Contents: <job> <script src="RemoteSupport.vbs" language="vbscript" /> <script language="vbscript"> RunThisAtLogoff() </script> </job> _____ Filename: RemoteSupport.vbs Contents: Const EXCEPTION_LIST = "C:\ExceptionList.txt" Const REPLACE_LIST = "C:\Replace.txt" Dim fso Dim shell Dim exceptionArray Sub RunThisAtLogon() Set fso = CreateObject("Scripting.FileSystemObject") Set shell = CreateObject("WScript.Shell") If Not fso.FileExists(EXCEPTION_LIST) Then Msgbox "No exception list exists. All administrators would be removed. This isn't a good idea, so this script will stop running now." Exit Sub End If exceptionArray = GetList(EXCEPTION_LIST) RemoveUsers() Set fso = Nothing Set shell = Nothing End Sub Sub RunThisAtLogoff() Set fso = CreateObject("Scripting.FileSystemObject") Set shell = CreateObject("WScript.Shell") If Not fso.FileExists(EXCEPTION_LIST) Then Msgbox "No exception list exists. All administrators would be removed. This isn't a good idea, so this script will stop running now." Exit Sub End If ReplaceUsers() Set fso = Nothing Set shell = Nothing End Sub Sub RemoveUsers() Dim command If fso.FileExists(REPLACE_LIST) Then command = "%comspec% /c del """ & REPLACE_LIST & """" shell.Run command, 0, true End If command = "%comspec% /c for /f ""tokens=* skip=6"" %a in ('net localgroup administrators') do (echo %a>>""" & REPLACE_LIST & """)" shell.Run command, 0, true 'existing admins logged to a text file Dim fileContents fileContents = fso.OpenTextFile(REPLACE_LIST).ReadAll Dim existingAdmins existingAdmins = Split(fileContents, vbCrLf) dim i for i = 0 to UBound(existingAdmins, 1) If Not IsException(existingAdmins(i)) Then command = "%comspec% /c net localgroup administrators """ & existingAdmins(i) & """ /delete" shell.Run command, 0, True End If Next End Sub Sub ReplaceUsers() Dim usersToAdd : usersToAdd = GetList(REPLACE_LIST) If IsArray(usersToAdd) Then Dim i, command For i = 0 To UBound(usersToAdd, 1) command = "%comspec% /c net localgroup administrators """ & usersToAdd(i) & """ /add" shell.Run command, 0, True Next End If End Sub Function GetList(filepath) Dim fileContents, return fileContents = "" If fso.FileExists(filepath) Then fileContents = fso.OpenTextFile(filepath, 1).ReadAll return = Split(fileContents, vbCrLf) Else return = Nothing End If GetList = return End Function Function IsException(loginName) Dim i For i = 0 To UBound(exceptionArray, 1) If UCase(loginName) = UCase(exceptionArray(i)) Then IsException = True Exit Function End If Next IsException = False End Function Feel free to e-mail me privately (ray@xxxxxxxxxx) if something doesn't work right! _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 10:12 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop <wide grin> Looking forward to the meeting are we? You are so Dilbert sometimes. ;-) Thanks in advance though, Ray. _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Costanzo Sent: Friday, February 15, 2008 3:56 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop I'm write something up after my stupid-ass, waste-of-time daily status meeting starting in 4 minutes. From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 9:46 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop What would a script like that look like? I'm still a scripting-n00b... 8-/ _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Costanzo Sent: Friday, February 15, 2008 3:41 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop How about creating scripts that run at logon and logoff for your maintenance account. The logon script can loop through the local admins group and remove everyone (minus some exceptions), and then the logoff script can re-add them. From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 9:02 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop Well, I've been kinda' thinking along the same lines, but the amount of small applets and specialised software we use is staggering, meaning I'm reluctant even to start this project. It's easier to just grant a little bit higher privs'. It's like it happens on a regular basis, it's just very irritating *when* it happens and I need to look up this user in person and whatnot, basically I losing time. Maybe I should just live with it... 8-} _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sullivan, Glenn Sent: Friday, February 15, 2008 2:53 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop WinXP only supports one session at a time, so there's no way for both of you to log on. But seriously, Jim hit the nail on the head. Make your users regular users, not power users, and use FileMon and RegMon to determine where the rights need to be granted for your software. Then they won't be able to log you off. The only other thing I can think of would be to temporarily change the Local System policy for "Log On Locally" to only include admins while you are patching, but I'm not sure that's practical. Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sorin Srbu Sent: Friday, February 15, 2008 8:22 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop <grin> It might be thought to be offensive to use such a logon-name, besides I'm not sure they'd get the hint. 8-) I can't limit my time, I work the same hours as the other people here. I get logged off when the user on the remote computer logs on. This is WinXP and I usually logon to the console, so if the user logs on physically on the remote computer, I get logged off. The users on the other end are mostly Power Users as some software we run requires admin-rights and I don't like to give them that. Power User-privs usually works though, so that's what we use. If I didn't logon remotely to the console, could the user logon while I'm still in a background session? _____ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig ThinHelp.com Sent: Friday, February 15, 2008 2:13 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Remote Desktop Change your admin login name to KeepyourgrimymittsoffuntilImdone ? Seriously we limit logon times via AD until just 15 to 20 minutes prior to opening so that we can do maintenance. You might not be able to do that though. I'm not sure how the user is logging you off as admin though unless they have admin privs on their local desktop. Jim On Fri, Feb 15, 2008 at 4:27 AM, Sorin Srbu <sorin.srbu@xxxxxxxxxxxxx> wrote: Hi, It happens quite often that when I administer and/or fix remote workstations using RDP, the user comes back from whereever and logs on despite that the logon window says somebody else (me) is logged on at this moment with the result I'm being logged off in the middle of an update or some such. Is there a way to prevent an admin/domain admin from being logged off from a rdp-session by a user with lower privs, eg power user? TIA. -- BW, Sorin # Sorin Srbu # [Systems Engineer, Sysadmin] Web: http://www.orgfarm.uu.se <http://www.orgfarm.uu.se/> # Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3 signals> GSM # Div of Org Pharm Chem, Mobile: +46 (0)701-718023 # Box 574, Uppsala University, Fax: +46 (0)18-4714482 # SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b # # () ASCII ribbon campaign - Against html E-mail # /\ # # Harmless tagline follows: # # At first there was nothing. Then God said 'Let there be light!' Then there was still nothing. But you could see it. -- Jim Kenzig Microsoft MVP - Terminal Services http://www.thinhelp.com Citrix Technology Professional CEO The Kenzig Group http://www.kenzig.com Blog: http://www.techblink.com