Chapter 13: Logon Scripts


In Brief

A logon script is a script that runs automatically each time a user logs on to the network. This script can contain various commands or programs that process on the local station, such as mapping printers or updating the local system time. In this chapter, you will learn how to create logon scripts to easily standardize and update your environment automatically.

Tip  

Although this chapter discusses tasks specifically geared toward logon scripts, you can use any of the scripts within this book in a logon script.

Common Logon Script Tasks

The difference between a regular script and a logon script is that a logon script performs its functions when the user logs on. Logon scripts are not limited in functionality, but actually contain the same functionality as any other script. Although logon scripts can perform many different tasks, several tasks are commonly performed in logon scripts:

  • Synchronize the local time

  • Manage network printers and drives

  • Update drivers or settings

  • Access or modify the registry

  • Perform hardware or software inventory

  • Set or modify environment variables

  • Update antivirus files

Synchronizing the Local Time

Time synchronization is essential when planning to perform enterprise-wide tasks simultaneously , such as remote updates. Windows 2000/XP/2003 uses a service called time synchronization to update the local system time with that of a network time source. A time source is any object providing the time to another object.

Time Source Hierarchy

Time synchronization is performed in a hierarchal format (see Figure 13.1). At the top of the hierarchy is the top-level time source that contains the accurate, universal time, such as the Atomic Clock. Primary time sources, usually a domain controller, synchronize their local time with the top-level time source. Below the primary time sources aresecondary time sources and clients. Secondary time sources are basically backup primary time sources that obtain their time from a primary time source. Secondary time sources are typically resource domain controllers that obtain their time from the master domain. Underneath the time sources are the clients that synchronize their local time with a secondary or primary time source

click to expand
Figure 13.1: The time synchronization hierarchy.

Environment Variables

Environment variables are basically keyword shortcuts that the system and users use to easily access files, directories, and values. You can use these variables in your logon scripts to easily identify the operating system, computer name, domain name , and more. Generally there are two types of environment variables: user and system. User environment variables are set per user, whereas system environment variables are set to the system level and affect all users who log on to the system. These variables are called static variables and are actually stored as registry entries: HKEY_CURRENT_USER\ Environment for user variables and HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Control\Session Manager\Environment for system variables. Dynamic variables, created by the SET command, are stored in memory and are applicable for the current command prompt session. Table 13.1 is a list of common environment variables.

Table 13.1: Registry data types.

Variable Name

Description

ComputerName

Specifies the name of the local system

HomeDrive

Specifies the drive letter to map the user's home directory

HomePath

Specifies the local path to the user's home directory

HomeShare

Specifies the share path to the user's home directory

OS

Specifies the operating system

UserDomain

Specifies the name of the domain the user is currently logged on to

UserName

Specifies the user ID of the currently logged on user

WinDir

Specifies the directory where the operating system is installed

Tip  

To see the current environment variables from the command prompt, enter SET

Norton Antivirus

Although most antivirus products include auto-updating features, updating antivirus files through a logon script provides a backup mechanism to ensure your clients are always up to date. Norton Antivirus is an advanced antivirus utility from Symantec (http://www. symantec .com), designed for both home and corporate use. This utility's antivirus signature files can be easily updated with an executable called Intelligent Updater. This executable supports the following command-line switches:

  • /EXTRACT location ”Extracts files from the executable to the location specified

  • /Q ”Undocumented switch, specifies to install the update silently

  • /TEMP= path ”Specifies the temporary directory to use

McAfee VirusScan

McAfee VirusScan is a popular antivirus utility from NAI (http://www.nai.com), for both home and corporate use. NAI releases updates to their antivirus engine and signature files (.DAT extension) in a self-extracting executable (for example, sdat9999.exe) called SuperDAT. They also release a version of the SuperDAT without the engine update (for example, 9999xdat.exe) to reduce the size of the update file and to supply updated signature files simply. These files provide an easy way to update antivirus software because they first stop running antivirus services, update the antivirus files, and then restart the antivirus services.

The two executables just described support the following command line switches:

  • /E location ”Extracts files from the executable to the specified location

  • /F ”Forces an updating of existing files

  • /LOGFILE textfile ”Logs the status to a text file

  • /PROMPT ”Displays a prompt dialog before reboot

  • /REBOOT ”Reboots if necessary

  • /SILENT ”Runs the executable in silent mode, with no prompting

  • /V ”Displays information about the executable

The Windows 2000/2003 Logon Process

The logon sequence is initiated on a Windows 2000/2003 machine when the user enters the secure command sequence (SCS), better known as Ctrl+Alt+Del. After the user enters the username and password, the Kerberos client encrypts the password through a one-way function (OWF) using the DES-CBC-MD5 algorithm (Data Encryption Standard Cipher Block Channel Message Digest 5). The client then converts the password to an encryption key.

The Kerberos client then sends the encryption key, username, a time stamp, and the authentication request to the Key Distribution Center (KDC), which is a service running on the authenticating server. The user name is then checked for a valid name stored in the active directory database, the password is verified , and the time stamp is checked to ensure the request is not old or falsified.

Once the user account has been validated , the KDC then sends back a Kerberos authentication response. This response is called a ticket granting number (TGT) and includes an encrypted copy of the KDC's encryption key. The client finally stores this ticket into memory and is allowed into the domain.

Windows Replication

Replication helps to easily distribute logon scripts to all your servers based on a regular schedule. The purpose of replication is to synchronize the contents of one file location with the contents of another. Replication is a service that performs one-way transfers, ensuring that all child locations are synchronized with the parent location. This synchronization includes file additions, modifications, and deletions.

Note  

The master replication server replicates files to itself, from the export to the import directory.

File Replication Service

Windows 2000 uses the file replication service (FRS) to perform file replication. FRS is a replication service that is used to replicate system policies and logon scripts to the System Volume directory (SYSVOL). FRS can be used to replicate files in addition to policies and logon scripts. The FRS synchronizes immediately within sites and synchronizes on a schedule between sites. File replication service is a robust replication service that works well for all types of data files.




Windows Admin Scripting Little Black Book
Windows Admin Scripting Little Black Book (Little Black Books (Paraglyph Press))
ISBN: 1933097108
EAN: 2147483647
Year: 2004
Pages: 89

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net