JSI Tip 1008. How can I set a 1 hour time limit for Domain Guests?

Jerold Schulman

January 19, 1999

1 Min Read
ITPro Today logo in a gray background | ITPro Today


There is no standard way to do this, but using Resource Kit Tools, and some freeware, you can script a solution. Here is one possibility:

1. Add the following statements to your logon script:

     ifmember "Domain Guests"
     if errorlevel 1 @echo . > %logonserver%shutdown$%computername%

     where Shutdown$ is a hidden share on each domain controller (c:shutdown).
     Grant Everyone Full Control on the share and Add & Read NTFS permissions on the folder.
     Grant SYSTEM and Administrators Full Control.

2. Use Launcher to prevent the logon script from being aborted.

3. Start a batch job (shutuser.bat) on each domain controller, using AUTOEXNT so it starts at boot:

     start /low /min foldershutuser.bat

Shutuser.bat contains:

@echo off:loopsleep 120for /f "Tokens=*" %%i in ('dir /b c:shutdown') do call :shut %%igoto loop:shutdel /q c:shutdown%1shutdown \%1 /T:3600 /R /Y "You are authorized for 1 hour access":end

Shutuser sleeps for 2 minutes and then checks c:shutdown for any ComputerName files (created when Domain Guests logon). For each one it finds, it deletes the file and issues a shutdown in 1 hour on the Domain Guest's workstation. The Domain Guest can minimized the pop-up, but if they close it, they will immediately shutdown. They can also manually shutdown, if they are finished before the time limit. If the time limit expires, the workstation is shutdown and restarted.

Note: This procedure only works when the Domain Guest uses a Windows NT Workstation to logon to the domain.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like