JSI Tip 1008. How can I set a 1 hour time limit for Domain Guests?
January 19, 1999
There is no standard way to do this, but using Resource Kit Tools, and some freeware, you can script a solution. Here is one possibility:
1. Add the following statements to your logon script:
ifmember "Domain Guests"
if errorlevel 1 @echo . > %logonserver%shutdown$%computername%
where Shutdown$ is a hidden share on each domain controller (c:shutdown).
Grant Everyone Full Control on the share and Add & Read NTFS permissions on the folder.
Grant SYSTEM and Administrators Full Control.
2. Use Launcher to prevent the logon script from being aborted.
3. Start a batch job (shutuser.bat) on each domain controller, using AUTOEXNT so it starts at boot:
start /low /min foldershutuser.bat
Shutuser.bat contains:
@echo off:loopsleep 120for /f "Tokens=*" %%i in ('dir /b c:shutdown') do call :shut %%igoto loop:shutdel /q c:shutdown%1shutdown \%1 /T:3600 /R /Y "You are authorized for 1 hour access":end
Shutuser sleeps for 2 minutes and then checks c:shutdown for any ComputerName files (created when Domain Guests logon). For each one it finds, it deletes the file and issues a shutdown in 1 hour on the Domain Guest's workstation. The Domain Guest can minimized the pop-up, but if they close it, they will immediately shutdown. They can also manually shutdown, if they are finished before the time limit. If the time limit expires, the workstation is shutdown and restarted.
Note: This procedure only works when the Domain Guest uses a Windows NT Workstation to logon to the domain.
About the Author
You May Also Like