PC Professionell 2006 May

home *** CD-ROM | disk | FTP | other *** search

/ PC Professionell 2006 May / PCpro_2006_05.ISO / files / free_security / msshared / Shared_Computer_Toolkit_ENU.msi / FileInclude006 < prev next >

Wrap

Text (UTF-16) | 2005-09-02 | 94.6 KB | 1,207 lines

' *** ' *** ------------------------------------------------------------------------------ ' *** Filename: clsRestrictions.vbs ' *** ------------------------------------------------------------------------------ ' *** Description: Restriction Class ' *** ------------------------------------------------------------------------------ ' *** Version: 1.0 ' *** Notes: Used by Restrict.hta and Restrict.wsf ' *** ------------------------------------------------------------------------------ ' *** Copyright (C) Microsoft Corporation 2005, All Rights Reserved ' *** ------------------------------------------------------------------------------ ' *** ' ~~~ ' ~~~ Force variables to be declared and turn off script error messages unless in DEBUG mode ' ~~~ Option Explicit If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Class Restriction ' ~~~ ' ~~~ declare variables and constants ' ~~~ Dim bLogging, sUid, sTemplateXML, sUserXML,oLog Dim sRootKeyE, sRootKeyS, bChangeLockFolder, bProfileDriveNTFS ' ~~~ ' ~~~ public properties ' ~~~ ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: Logging ' *** ------------------------------------------------------------------------------ ' *** Purpose: Turns on logging, property must be set to a logging object ' *** ------------------------------------------------------------------------------ ' *** Public Property Get Logging Logging = bLogging End Property Public Property Let Logging(oObject) If VarType(oObject) = vbObject Then bLogging = True Set oLog = oObject End If End Property ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: User ' *** ------------------------------------------------------------------------------ ' *** Purpose: Username of account modify ' *** ------------------------------------------------------------------------------ ' *** Public Property Get User User = sUid End Property Public Property Let User(sUser) sUid = sUser End Property ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: ChangeLockFolder ' *** ------------------------------------------------------------------------------ ' *** Purpose: Stores whether the name of a folder for a locked profile should be ' *** profile.orig or profile.number.orig in order to prevent conflicts ' *** with other folders that might already exist on the computer. ' *** ------------------------------------------------------------------------------ ' *** Public Property Get ChangeLockFolder ChangeLockFolder = bChangeLockFolder End Property Public Property Let ChangeLockFolder(bRenameLockFolder) bChangeLockFolder = bRenameLockFolder End Property ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: IsProfileDriveNTFS ' *** ------------------------------------------------------------------------------ ' *** Purpose: Stores whether the profile of the user account exists in a NTFS ' *** file system or not ' *** ------------------------------------------------------------------------------ ' *** Public Property Get IsProfileDriveNTFS IsProfileDriveNTFS = bProfileDriveNTFS End Property Public Property Let IsProfileDriveNTFS(IsDriveNTFS) bProfileDriveNTFS = IsDriveNTFS End Property ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: UserXML ' *** ------------------------------------------------------------------------------ ' *** Purpose: Full path to the users restrictions file ' *** ------------------------------------------------------------------------------ ' *** Public Property Get UserXML If sUserXML = "" Then If User="" Then UserXML = "" Else UserXML = GetRootFolder & "\xml\User." & User & ".xml" End If Else UserXML = sUserXML End If End Property Public Property Let UserXML(sUserXMLFile) sUserXML = sUserXMLFile End Property ' *** ' *** ------------------------------------------------------------------------------ ' *** Property: TemplateXML ' *** ------------------------------------------------------------------------------ ' *** Purpose: Full path to the restrictions template file ' *** ------------------------------------------------------------------------------ ' *** Public Property Get TemplateXML TemplateXML = sTemplateXML End Property Public Property Let TemplateXML(sTemplateXMLFile) sTemplateXML = sTemplateXMLFile End Property ' ~~~ ' ~~~ public methods ' ~~~ ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: CreateXML ' *** ------------------------------------------------------------------------------ ' *** Purpose: Creates an XML file containing all of the specified users current ' *** restriction settings. ' *** ------------------------------------------------------------------------------ ' *** Public Function CreateXML If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oXML, bOK, bIdleLogoff, bDefault, strScr, oNode, bUnicode ' ~~~ Turn on error handling On Error Resume Next bIdleLogoff = True bDefault = True ' ~~~ write log If bLogging Then oLog.Write "clsRestrictions : CreateXML() : Entry" If bLogging Then oLog.Write "clsRestrictions : CreateXML() : User Name : " & User If bLogging Then oLog.Write "clsRestrictions : CreateXML() : Template File : " & TemplateXML If bLogging Then oLog.Write "clsRestrictions : CreateXML() : User XML File : " & UserXML ' ~~~ load reg hive and xml file bOK = LoadUser(User) Set oXML = OpenXMLFile(TemplateXML) ' ~~~ if got xml, cycle through nodes, updating and save when complete If bOK and Not(oXML is Nothing) Then If bLogging Then oLog.Write "clsRestrictions : CreateXML() : User hive loaded and template xml file opened" For Each oNode In oXML.getElementsByTagName("poke") ' ~~~ determine if this is chkSharedAccount, if it is we need to process differently If oNode.Attributes.GetNamedItem("resid").Text = "chkSharedAccount" Then If AccountLocked(User) Then oNode.Text = oNode.Attributes.GetNamedItem("on").Text Else oNode.Text = oNode.Attributes.GetNamedItem("off").Text End If ElseIf oNode.Attributes.GetNamedItem("resid").Text = "chkDisableInternet" Then If RegReadANSI(sRootKeyS & "\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" , "") = "NoInternetAccess" Then oNode.Text = oNode.Attributes.GetNamedItem("on").Text Else oNode.Text = oNode.Attributes.GetNamedItem("off").Text End If ElseIf oNode.Attributes.GetNamedItem("resid").Text = "txtLogoffInactive" Then If oNode.Attributes.GetNamedItem("regkey").Text = "Control Panel\Desktop\ScrnSave.exe" Then sCurrentScrSvr = RegReadANSI(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, "") If sCurrentScrSvr <> "" Then sCurrentScrSvr = Mid(sCurrentScrSvr, InStrRev(sCurrentScrSvr,"\")+1,15) End If If bIdleLogoff = True Then oNode.Text = ReadIdleLogOff(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, oNode.Attributes.GetNamedItem("off").Text) If oNode.Text = "" and oNode.Attributes.GetNamedItem("regkey").Text = "Software\Microsoft\Shared Computer Toolkit\IdleLogoff" Then bIdleLogoff = False End If Else If bDefault = True Then strScr = RegReadANSI(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, "") If Mid(strScr,InStrRev(strScr,"\")+1,15) = "ForceLogoff.exe" Then bDefault = False oNode.Text = SetDefaultScr(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, oNode.Attributes.GetNamedItem("off").Text) Else oNode.Text = strScr End If Else oNode.Text = SetDefaultScr(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, oNode.Attributes.GetNamedItem("off").Text) End If End If Else Err.Clear bUnicode = oNode.Attributes.GetNamedItem("unicode").Value If Err.Number = 0 Then oNode.Text = RegRead(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text) Else oNode.Text = RegReadANSI(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, oNode.Attributes.GetNamedItem("off").Text) End If End If If bLogging Then oLog.Write "clsRestrictions : CreateXML() : " & oNode.Attributes.GetNamedItem("resid").Text & " " & sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text & " " & oNode.Text Next Call oXML.save(UserXML) Else If bLogging Then oLog.Write "clsRestrictions : CreateXML() : Failed to load user hive or open template xml file" bOK = False End If ' ~~~ destroy xml object and unload reg hive Set oXML = nothing Call UnLoadUser() ' ~~~ return result CreateXML = bOK End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: ApplyXML ' *** ------------------------------------------------------------------------------ ' *** Purpose: Applys the restrictions in a populated XML file to the specified user ' *** ------------------------------------------------------------------------------ ' *** Public Function ApplyXML If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oXML, bOK, bLockAccount, bLockTagExist, oNode, bForceRestart, sCentralProfilePath, sProfileImagePath, oAccount Dim strShellStartMenu, bInternetDisabled, sUnicode, sNoIntAccess, bProxyEnable, sRegValue, aElements, i ' ~~~ Turn on error handling On Error Resume Next ' ~~~ write log If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : Entry" If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : User Name : " & User If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : User XML File : " & UserXML bLockTagExist = False ' ~~~ load reg hive and xml file bOK = LoadUser(User) Set oXML = OpenXMLFile(UserXML) ' ~~~ if got xml, cycle through nodes, updating registry If bOK and Not(oXML is Nothing) Then If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : User hive loaded and user xml file opened" sNoIntAccess = RegReadANSI(sRootKeyS & "\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer", "") bProxyEnable = RegReadANSI(sRootKeyS & "\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0 ) For Each oNode In oXML.getElementsByTagName("poke") If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : " & oNode.Attributes.GetNamedItem("resid").Text & " " & sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text & " " & oNode.Text & " " & oNode.Attributes.GetNamedItem("type").Text ' ~~~ wrap in quotes certain environment values Select Case oNode.Attributes.GetNamedItem("regkey").Text Case "Software\Microsoft\Windows\CurrentVersion\Run\Logoff" sRegValue = chr(34) & Replace(oNode.text," ",chr(34) & " " & chr(34)) & chr(34) Case Else SRegValue = oNode.Text End Select Err.clear sUnicode = oNode.Attributes.GetNamedItem("unicode").Value If Err.Number = 0 Then If oNode.Attributes.GetNamedItem("regkey").Text = "Control Panel\Desktop\ScrnSave.exe" Then SRegValue = oShell.ExpandEnvironmentStrings(SRegValue) If UCase(Mid(SRegValue , InStrRev(SRegValue ,"\")+1, 15)) = "FORCELOGOFF.EXE" Then Call RegWrite(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, sRegValue, "REG_EXPAND_SZ") Else Call RegDelete(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text) Call RegWrite(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, sRegValue, oNode.Attributes.GetNamedItem("type").Text) End If Else Call RegWrite(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, sRegValue, oNode.Attributes.GetNamedItem("type").Text) End If Else Call RegWriteANSI(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text, sRegValue, oNode.Attributes.GetNamedItem("type").Text) End If Select Case oNode.Attributes.GetNamedItem("delete").Text Case "on" If oNode.Attributes.GetNamedItem("on").Text=oNode.Text Then Call RegDelete(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text) End If Case "off" If oNode.Attributes.GetNamedItem("off").Text=oNode.Text Then Call RegDelete(sRootKeyS & "\" & oNode.Attributes.GetNamedItem("regkey").Text) End If End Select ' ~~~ shared account lock poke? If oNode.Attributes.GetNamedItem("resid").Text = "chkSharedAccount" Then bLockTagExist = True If oNode.Attributes.GetNamedItem("on").Text = oNode.Text Then bLockAccount = True Else bLockAccount = False End If End If ' ~~~ Create Log Off shorcut If oNode.Attributes.GetNamedItem("resid").Text = "chkForceRestart" Then If oNode.Attributes.GetNamedItem("on").Text = oNode.Text Then bForceRestart = True Else bForceRestart = False End If End If ' ~~~ Disable Internet access from IE If oNode.Attributes.GetNamedItem("resid").Text = "chkDisableInternet" Then If oNode.Attributes.GetNamedItem("on").Text = oNode.Text Then bInternetDisabled = True Else bInternetDisabled = False End If End If ' ~~~ To Store the changed screen saver of the user If oNode.Attributes.GetNamedItem("resid").Text = "txtLogoffInactive" Then If oNode.Attributes.GetNamedItem("regkey").Text = "Control Panel\Desktop\ScrnSave.exe" Then If oNode.Text = "" Then sCurrentScrSvr = "" Else sCurrentScrSvr = Mid(oNode.Text, InStrRev(oNode.Text,"\")+1, 15) End If End If End If Next Else If bLogging Then oLog.Write "clsRestrictions : ApplyXML() : Failed to load user hive or open template xml file" bOK = False End If strShellStartMenu = RegRead( sRootKeyS & "\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu") strShellStartMenu = oShell.ExpandEnvironmentStrings( strShellStartMenu ) If bInternetDisabled Then Call DisableInternet( "disable" , sNoIntAccess, bProxyEnable ) Else Call DisableInternet( "enable" , sNoIntAccess, bProxyEnable ) End If ' ~~~ destroy xml object and unload reg hive Set oXML = nothing Call UnLoadUser() If bLockTagExist Then ' ~~~ now process shared accounts lock If bLockAccount and Not(AccountLocked(User)) Then Call LockSharedAccount(User) If Not(bLockAccount) and AccountLocked(User) Then Call UnLockSharedAccount(User) End If If bForceRestart Then Call RestartShortcut("create", strShellStartMenu) Else Call RestartShortcut("delete", strShellStartMenu) End If ' ~~~ Copy the ntuser.dat in central profile to normal profile folder after modifying the restrictions Set oAccount = GetObject("WinNT://" & sComputer & "/" & User) sCentralProfilePath = oAccount.Profile Set oAccount = Nothing sProfileImagePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\"& GetUserSID(User) &"\ProfileImagePath") sProfileImagePath = oShell.expandenvironmentstrings(sProfileImagePath ) If oFso.FolderExists ( sCentralProfilePath ) and oFso.FolderExists( sProfileImagePath ) Then If oFso.FileExists( sCentralProfilePath & "\ntuser.dat" ) Then If oFso.FileExists( sProfileImagePath & "\ntuser.dat") Then Call oFso.DeleteFile( sProfileImagePath & "\ntuser.dat", True) If oFso.FileExists( sProfileImagePath & "\ntuser.man") Then Call oFso.DeleteFile( sProfileImagePath & "\ntuser.man", True) ' ~~~ Copy the ntuser.dat in .orig folder to normal profile folder Call oFso.CopyFile( sCentralProfilePath & "\ntuser.dat", sProfileImagePath & "\ntuser.dat") End If End If ' ~~~ return result ApplyXML = bOK End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: Accounts(bHTML) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns a string containing an account list ' *** If bHTML return a string that can be inserted into a dd list ' *** ------------------------------------------------------------------------------ ' *** Public Function Accounts(bHTML) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oUser, oAccounts, sHTML ' ~~~ get a list of user accounts on the local machine Set oAccounts = GetObject("WinNT://" & sComputer) oAccounts.Filter = Array("user") ' ~~~ add all the user accounts to the array For Each oUser in oAccounts If (GetProfilePath(oUser.Name) <> "") AND (oUser.Name <> oNetwork.UserName) AND (Right(GetUserSID( oUser.Name ), 4) <> "-500") Then If IsUserLoggedOn(oUser.Name) = False Then If bHTML Then sHTML = sHTML & "<option value=""" & oUser.Name & """>" & oUser.Name & "</option>" & vbCrLF Else sHTML = sHTML & oUser.Name & vbCrLF End If End If End If Next ' ~~~ destroy objects Set oUser = Nothing Set oAccounts = Nothing ' ~~~ return html strings Accounts = sHTML End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: OpenXMLFile(sXMLFile) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns the entire xml document ' *** ------------------------------------------------------------------------------ ' *** Public Function OpenXMLFile(sXMLFile) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oXML ' ~~~ create xml object and open document Set oXML = CreateObject("MSXML2.DomDocument") Call oXML.Load(sXMLFile) If oXML.parseError.errorCode <> 0 Then ' ~~~ error occured, return nothing Set OpenXMLFile = Nothing Else Set OpenXMLFile = oXML End If End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: LockSharedAccount(sUser) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Locks a shared acoount by making the profile mandatory ' *** ------------------------------------------------------------------------------ ' *** Public Function LockSharedAccount(sUser) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sProfilePath, sProfileNew, oAccount ' ~~~ turn on error handling If Not(DEBUG) Then On Error Resume Next ' ~~~ write log entry If bLogging Then oLog.Write "clsRestrictions : LockSharedAccount() : " & sUser ' ~~~ Do not lock if the file system is not NTFS If NOT bProfileDriveNTFS Then Exit Function End If ' ~~~ Get the profilepath from the account properties sProfilePath = "" Set oAccount = GetObject("WinNT://" & sComputer & "/" & sUser) sProfilePath = oAccount.Profile If bLogging Then oLog.Write "clsRestrictions : LockSharedAccount() : New Profile Path : " & sProfileNew ' ~~~ If the Account ProfilePath is blank, set it to ".orig", rename the folder, and make the profile mandatory If sProfilePath = "" Then ' ~~~ Get the new profile path by adding ".orig" to the profilepath from the registry sProfilePath = GetProfilePath(sUser) sProfileNew = sProfilePath & ".orig" If oFso.FolderExists( sProfileNew ) Then If ChangeLockFolder Then ' ~~~ Get a new .orig folder name sProfileNew = LockProfileFolder(sProfilePath) Else ' ~~~ Delete the .orig folder oFso.DeleteFolder sProfileNew , True End If End If If bLogging Then oLog.Write "clsRestrictions : First Time Lock : " & sProfilePath & " -> " & sProfileNew ' ~~~ rename profile folder to match the new roaming location Call oFso.MoveFolder(sProfilePath, sProfileNew) If oFso.FolderExists(sProfileNew) then ' ~~~ Update the profile path attribute the account to reflect the new roaming location oAccount.Profile = sProfileNew oAccount.SetInfo Else LockSharedAccount = False End If ' ~~~ rename ntuser.dat to make the roaming profile a mandatory profile If oFso.FileExists(sProfileNew & "\ntuser.dat") Then Call oFso.MoveFile(sProfileNew & "\ntuser.dat", sProfileNew & "\ntuser.man") If bLogging Then oLog.Write "clsRestrictions : LockSharedAccount() : User Account Profile Attribute : " & sProfileNew Else ' ~~~ If the Account ProfilePath is not blank it is a roaming profile (likely locked before); make it a mandatory profile If oFso.FileExists(sProfilePath & "\ntuser.dat") Then If bLogging Then oLog.Write "clsRestrictions : Profile Re-Lock : " & sProfilePath Call oFso.MoveFile(sProfilePath & "\ntuser.dat", sProfilePath & "\ntuser.man") End If End If If ( oFso.FileExists(sProfilePath & "\ntuser.man") or oFso.FileExists(sProfileNew & "\ntuser.man") ) Then LockSharedAccount = True ' ~~~ Change the owner of the profile folder Call ChangeProfileOwner(sUser) Else LockSharedAccount = False End If ' ~~~ turn off error handling If Not(DEBUG) Then On Error Goto 0 End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: UnLockSharedAccount(sUser) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Unlocks a mandatory account by changing the profile to roaming ' *** ------------------------------------------------------------------------------ ' *** Public Function UnLockSharedAccount(sUser) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sProfilePath, oAccount, sProfile, sCommand, sProfileImgPath ' ~~~ turn on error handling On Error Resume Next ' ~~~ write log entry If bLogging Then oLog.Write "clsRestrictions : UnlockSharedAccount() : " & sUser ' ~~~ Get the profilepath from the account properties sProfilePath = "" Set oAccount = GetObject("WinNT://" & sComputer & "/" & sUser) sProfilePath = oAccount.Profile ' ~~~ If the ProfilePath is non-blank, and ntuser.man is in it, we have a mandatory user profile to change to a roaming user profile. If ( sProfilePath <> "" ) AND ( oFso.FileExists(sProfilePath & "\ntuser.man") ) Then Call oFso.MoveFile(sProfilePath & "\ntuser.man", sProfilePath & "\ntuser.dat") If bLogging Then oLog.Write "clsRestrictions : Unlocked Profile : " & sProfilePath Else UnlockSharedAccount = False Exit Function End If ' ~~~ return error code If Err.number=0 Then ' ~~~ Reset the ACL that was set during Locking a profile sProfile = GetProfilePath(sUser) sCommand = Chr(34) & GetRootFolder & "\bin" & "\DenyAccess.exe" & Chr(34) & sUser & "," & "1" & "," Call SetPermission(sProfile,sCommand) UnlockSharedAccount = True Else UnlockSharedAccount = False End If ' ~~~ turn off error handling If Not(DEBUG) Then On Error Goto 0 If sProfilePath <> "" Then ' ~~~ To delete ntuser.dat , created during logon when the account is locked sProfileImgPath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\"& GetUserSID(sUser) &"\ProfileImagePath") sProfileImgPath = oShell.expandenvironmentstrings(sProfileImgPath ) If oFso.FolderExists(sProfileImgPath ) Then If oFso.FileExists(sProfileImgPath & "\ntuser.dat") Then Call oFso.DeleteFile(sProfileImgPath & "\ntuser.dat", True) If oFso.FileExists(sProfileImgPath & "\ntuser.man") Then Call oFso.DeleteFile(sProfileImgPath & "\ntuser.man", True) ' ~~~ Copy the ntuser.dat in .orig folder to normal profile folder Call oFso.CopyFile(sProfilePath & "\ntuser.dat", sProfileImgPath & "\ntuser.dat") End If End If End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: AccountLocked(sUser) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns true if the specified account has a locked profile ' *** ------------------------------------------------------------------------------ ' *** Public Function AccountLocked(sUser) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oAccount, sProfilePath ' ~~~ turn on error handling On Error Resume Next ' ~~~ look at profile path in the account properties sProfilePath = "" Set oAccount = GetObject("WinNT://" & sComputer & "/" & sUser) sProfilePath = oAccount.Profile AccountLocked = False ' ~~~ If the Account ProfilePath is non-blank and ntuser.man exists within, then we have a locked account If sProfilePath <> "" Then If oFSo.FileExists(sProfilePath & "\ntuser.man") Then AccountLocked = True End If End If ' ~~~ turn off error handling On Error Goto 0 End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: IsUserLoggedOn(strUser) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns true if the specified account is logged on ' *** ------------------------------------------------------------------------------ ' *** Public Function IsUserLoggedOn(strUser) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sNTUser, oFile, oFileStream, strProfImgPath Const FORAPPENDING = 8 Const TRISTATEUSEDEFAULT = -2 IsUserLoggedOn = False If AccountLocked(strUser) = True Then sNTUser = "\NTUSER.MAN" Else sNTUser = "\NTUSER.DAT" End If ' ~~~ We need to control error handling for the rest of this function On Error Resume Next strProfImgPath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & GetUserSID(strUser) & "\ProfileImagePath") strProfImgPath = oShell.ExpandEnvironmentStrings( strProfImgPath ) Set oFile = oFso.GetFile( strProfImgPath & sNTUser) ' ~~~ If we can't find the NTUSER file then it doesn't exist - so the user cannot be logged on If Err.Number <> 0 Then Exit Function Set oFileStream = oFile.OpenAsTextStream(FORAPPENDING, TRISTATEUSEDEFAULT) ' ~~~ If we can't open the NTUSER file exclusively, then someone must already be using it If Err.Number <> 0 Then IsUserLoggedOn = True End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: GetUserSID(sUID) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns the users SID ' *** ------------------------------------------------------------------------------ ' *** Public Function GetUserSID(sUID) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oAccount ' ~~~ turn on error handling On Error Resume Next ' ~~~ create wmi object & get sid Set oAccount = oWMIService.Get("Win32_UserAccount.Name='" & sUID & "',Domain='" & oNetwork.ComputerName & "'") ' ~~~ return the sid GetUserSID = oAccount.SID End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: GetProfilePath(sUID) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Returns the path to the user profile ' *** If no profile exists, returns null ' *** ------------------------------------------------------------------------------ ' *** public Function GetProfilePath(sUID) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim oAccount, sProfilePath ' ~~~ turn on error handling On Error Resume Next ' ~~~ first look for locked profiles sProfilePath = "" Set oAccount = GetObject("WinNT://" & sComputer & "/" & sUID) sProfilePath = oAccount.Profile ' ~~~ if profile path is still blank, it is not locked so get profile path using sid If sProfilePath = "" Then sProfilePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\"& GetUserSID(sUID) &"\ProfileImagePath") End If ' ~~~ return path GetProfilePath = oShell.ExpandEnvironmentStrings(sProfilePath) End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: LoadUser(sUser) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Loads a users private registry hive ' *** ------------------------------------------------------------------------------ ' *** Public Function LoadUser(sUser) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sProfilePath LoadUser = False sProfilePath = "" sProfilePath = GetProfilePath(sUser) If ( sProfilePath <> "" ) AND (oFso.FileExists( sProfilePath & "\NTuser.dat") OR oFso.FileExists( sProfilePath & "\NTuser.man") ) Then ' ~~~ load registry hive If AccountLocked(sUser) Then oShell.Run "REG LOAD " & sRootKeyE & " """ & sProfilePath & "\ntuser.man""", 0, True Else oShell.Run "REG LOAD " & sRootKeyE & " """ & sProfilePath & "\ntuser.dat""", 0, True End If LoadUser = True End If End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: UnLoadUser() ' *** ------------------------------------------------------------------------------ ' *** Purpose: Unloads the currently loaded registry hive ' *** ------------------------------------------------------------------------------ ' *** public Function UnLoadUser() If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim bResult bResult = oShell.Run("reg unload " & sRootKeyE, 0, True) ' ~~~ return status If bResult = 0 Then UnLoadUser = True Else UnLoadUser = False End If End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: IsFileSystemNTFS() ' *** ------------------------------------------------------------------------------ ' *** Purpose: Checks the filesystem of the drive in which the user's ' *** profile exists. ' *** Returns True if it is NTFS, else False ' *** ------------------------------------------------------------------------------ ' *** Public Function IsFileSystemNTFS() If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim colDisks, oDisk, sProfileDrive Const HARD_DISK = 3 ' ~~~ To check whether the drive is a hard disk IsFileSystemNTFS = True sProfileDrive = GetProfilePath(User) sProfileDrive = oShell.ExpandEnvironmentStrings( sProfileDrive ) sProfileDrive = Left(sProfileDrive ,1) sProfileDrive = UCase(sProfileDrive) Set colDisks = oWmiService.ExecQuery("Select * from Win32_LogicalDisk where DriveType =" & HARD_DISK & "" ) For Each oDisk in colDisks If UCase(Left(oDisk.DeviceID,1)) = sProfileDrive Then If UCase(oDisk.Filesystem) <> "NTFS" Then IsFileSystemNTFS = False Exit For End If End If Next End Function ' ~~~ ' ~~~ private methods ' ~~~ ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: Class_Initialize ' *** ------------------------------------------------------------------------------ ' *** Purpose: Used internally by the class when it is created. ' *** Declared as private because it must not be called directly. ' *** ------------------------------------------------------------------------------ ' *** Private Sub Class_Initialize If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 ' ~~~ set default values for properties bLogging = True bChangeLockFolder = False bProfileDriveNTFS = True ' ~~~ defined to simplify code. two versions are required becauase the exe and script method of processing the registry is different sRootKeyE = "HKU\SSW" ' EXE sRootKeyS = "HKEY_USERS\SSW" ' SCRIPT End Sub ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: Class_Terminate ' *** ------------------------------------------------------------------------------ ' *** Purpose: Used internally by the class when it is destroyed. ' *** Declared as private because it must not be called directly. ' *** ------------------------------------------------------------------------------ ' *** Private Sub Class_Terminate If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 End Sub ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: RegReadANSI(sRegKey, sValueOff) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Reads ANSI only registry keys. Deals with non-existent keys. ' *** Used only for registry keys not containing UNICODE (e.g Policy Settings) ' *** ------------------------------------------------------------------------------ ' *** Private Function RegReadANSI(sRegKey, sValueOff) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sValue ' ~~~ turn on error handling to capture registry handling errors On Error Resume Next ' ~~~ read value from registry - MUST use oShell.RegRead... DO NOT REMOVE! sValue = oShell.RegRead(sRegKey) ' ~~~ if error, key does not exist, value=off If err.number <> 0 Then sValue = sValueOff err.Clear End If ' ~~~ turn off error handling On Error Goto 0 ' ~~~ return result RegReadANSI = sValue End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: RegWriteANSI(sRegKey, sValue, sType) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Writes ANSI value registry keys. ' *** Used only for registry keys not containing UNICODE (e.g Policy Settings) ' *** ------------------------------------------------------------------------------ ' *** Private Function RegWriteANSI(sRegKey, sValue, sType) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 ' ~~~ Turn on error 'handling' On Error Resume Next If (sType="REG_SZ") or (sType="REG_EXPAND_SZ") Then Call oShell.RegWrite(sRegKey, sValue, sType) Else If Not(IsNumeric(sValue)) Then sValue="0" Call oShell.RegWrite(sRegKey, Int(sValue), sType) End If ' ~~~ Turn off error handling On Error Goto 0 RegWriteANSI = Err.Number Err.Clear End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: ReadIdlelogOff(sRegKey, sValueOff) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Reads a registry key. Deals with non-existent keys. ' *** ------------------------------------------------------------------------------ ' *** Private Function ReadIdlelogOff(sRegKey, sValueOff) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sAppDir ' ~~~ Do not attempt to use GetRootFolder here... called from WSF file. sAppDir = RegRead(TOOLKITKEY & "TargetDir") Dim sValue select case sRegKey case sRootKeyS & "\Software\Microsoft\Shared Computer Toolkit\IdleLogoff" sValue = RegReadANSI(sRegKey, sValueOff) case sRootKeyS & "\Control Panel\Desktop\ScreenSaveTimeOut" sValue = RegReadANSI("Software\Microsoft\Shared Computer Toolkit\IdleLogoff", sValueOff) case sRootKeyS & "\Control Panel\Desktop\ScreenSaveActive" sValue = 1 case sRootKeyS & "\Control Panel\Desktop\ScreenSaverIsSecure" sValue = 0 case sRootKeyS & "\Control Panel\Desktop\NoAutoReturnToWelcome" sValue = 1 case sRootKeyS & "\Control Panel\Desktop\ScrnSave.exe" sValue = chr(34) & sAppDir & "bin\ForceLogoff.exe" & chr(34) End select ' ~~~ return result ReadIdlelogOff = sValue End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: SetDefaultScr() ' *** ------------------------------------------------------------------------------ ' *** Purpose: If there is no scr and forcelogoff set the default scr is applied ' *** ------------------------------------------------------------------------------ ' *** Private Function SetDefaultScr(sRegKey, sValueOff) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sValue select case sRegKey case sRootKeyS & "\Control Panel\Desktop\ScrnSave.exe" sValue = oShell.ExpandEnvironmentStrings("%WinDir%\System32\logon.scr") case sRootKeyS & "\Control Panel\Desktop\ScreenSaveTimeOut" sValue = 600 case sRootKeyS & "\Control Panel\Desktop\ScreenSaveActive" sValue = 1 case sRootKeyS & "\Control Panel\Desktop\ScreenSaverIsSecure" sValue = 0 case sRootKeyS & "\Control Panel\Desktop\NoAutoReturnToWelcome" sValue = 1 End select SetDefaultScr = sValue End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: ChangeProfileOwner(sUserName) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Changes the owner of the folder to administrators ' *** ------------------------------------------------------------------------------ ' *** Private Function ChangeProfileOwner(sUserName) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim Profile, sCommand Profile = GetProfilePath(sUserName) sCommand = Chr(34) & GetRootFolder & "\bin" & "\DenyAccess.exe" & Chr(34) & sUserName & ",0," ' ~~~ Change the ACL's on the root folder, subfolders and files Call SetPermission(Profile,sCommand) End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: SetPermission(Profile,sCommand) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Changes the file/folder permissions ' *** ------------------------------------------------------------------------------ ' *** private Function SetPermission(Profile,sCommand) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim folders, folder, files, file, oDacl If oFso.FolderExists(Profile) Then ' ~~~ Set different ACL's for folders oShell.Run sCommand & "0," & Profile ,0,false For Each file In oFso.GetFolder(Profile).Files ' ~~~ Different ACL for files oShell.Run sCommand & "1," & file ,0,false Next For Each folder In oFso.getFolder(Profile).SubFolders Call SetPermission(oFso.GetAbsolutePathName(folder),sCommand) Next End If End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: RestartShortcut(bCreate, sShellStartMenu) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Creates logoff shortcut which restarts the computer while logoff ' *** ------------------------------------------------------------------------------ ' *** private Function RestartShortcut(bCreate, sShellStartMenu) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim strStartmenuFld, oShortcut, strUserFolder, scentralProfilePath, oAccount, sProfilePath, sProfileDrive Dim iCharPos, strOrigFolder, strLeftStartMenuFld, strRightStartMenuFld strStartmenuFld = "" scentralProfilePath = "" sProfilePath = "" ' ~~~ Get the profile path of the user sProfilePath = GetProfilePath( User ) sProfilePath = oShell.ExpandEnvironmentStrings( sProfilePath ) sProfileDrive = Left( sProfilePath , 1) ' ~~~ Get the profile path from profile attribute if the profile is roaming Set oAccount = GetObject("WinNT://" & sComputer & "/" & User) scentralProfilePath = oAccount.Profile scentralProfilePath = oShell.ExpandEnvironmentStrings( scentralProfilePath ) Set oAccount = Nothing ' ~~~ Get the startmenu folder from ShellFolders strStartmenuFld = sShellStartMenu If UCase(Left(strStartmenuFld ,1)) <> UCase(sProfileDrive) Then strStartmenuFld = sProfileDrive & Mid( strStartmenuFld , 2) End If If scentralProfilePath <> "" and oFso.FolderExists( scentralProfilePath ) Then ' ~~~ Extract the orig folder name iCharPos = 0 iCharPos = InstrRev( scentralProfilePath , "\" ) strOrigFolder = Mid( scentralProfilePath , iCharPos + 1) iCharPos = 0 ' ~~~ Get the first occurence of \ and store the string before that position iCharPos = InstrRev( strStartmenuFld , "\" ) strRightStartMenuFld = Mid ( strStartmenuFld , iCharPos ) ' ~~~ Get the second occurence of \ and store the string after that position iCharPos = InstrRev( strStartmenuFld , "\" , iCharPos - 1 ) strLeftStartMenuFld = Left( strStartmenuFld , iCharPos ) ' ~~~ Concatenate the two extracted strings and the orig folder name strStartmenuFld = strLeftStartMenuFld & strOrigFolder & strRightStartMenuFld End If Select Case bCreate Case "create" If oFso.FolderExists( strStartmenuFld ) Then Set oShortcut = oShell.CreateShortcut(strStartmenuFld & "\" & L_sLogOffLink_TEXT & ".lnk") Call oShell.Run("CMD /C COPY " & Chr(34) & GetRootFolder & "\bin\shortcut\" & "LogOff.lnk" & Chr(34) & " " & Chr(34) & strStartmenuFld & "\" & L_sLogOffLink_TEXT & ".lnk" & Chr(34), 0, True) ' ~~~ To deny the delete permission for the user oShell.Run Chr(34) & GetRootFolder & "\bin" & "\DenyAccess.exe" & Chr(34) & User & "," & "0" & "," & "1" & strStartmenuFld & "\" & L_sLogOffLink_TEXT & ".lnk" End If Case "delete" If oFso.FileExists(strStartmenuFld & "\" & L_sLogOffLink_TEXT & ".lnk") Then oFso.DeleteFile strStartmenuFld & "\" & L_sLogOffLink_TEXT & ".lnk" , True End If End Select End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: LockProfileFolder(strProfileImgPath) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Checks for the existence of the .orig before locking ' *** an "unlocked" account and returns the profile folder ' *** as user.1.orig ' *** ------------------------------------------------------------------------------ ' *** Private Function LockProfileFolder(strProfileImgPath) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim iCount, strNewLockFolder, bFolderExists iCount = 1 bFolderExists = False Do strNewLockFolder = strProfileImgPath & "." & iCount & ".orig" If oFso.FolderExists( strNewLockFolder ) Then iCount = iCount + 1 Else bFolderExists = True End If Loop Until bFolderExists = True LockProfileFolder = strNewLockFolder End Function ' *** ' *** ------------------------------------------------------------------------------ ' *** Name: DisableInternet( bDisableIE, sProxyServer, bProxyEnable ) ' *** ------------------------------------------------------------------------------ ' *** Purpose: Changes the registry entry for checking/unchecking ' *** automatically detect settings checkbox in IE options ' *** ------------------------------------------------------------------------------ ' *** Private Function DisableInternet(bDisableIE, sProxyServer, bProxyEnable ) If NOT DEBUG Then On Error Resume Next Else On Error Goto 0 Dim sRegpath, bResult, sDefaultConnValue , sUncheckAutoDetect, iByteCount, sCurrentIntConn Dim sIEConnRegPath , sAutoConfig , sAutoConfigURL , sProxyServervalue, iProxyEnable, bRegread Const HKEY_USERS = &H80000003 If ((sProxyServer = "NoInternetAccess" and bDisableIE = "disable" ) or (sProxyServer <> "NoInternetAccess" and bDisableIE = "enable") ) Then Exit Function End If sIEConnRegPath = "\Software\Microsoft\Shared Computer Toolkit\InternetSettings\" sRegpath = "\Software\Microsoft\Windows\CurrentVersion\Internet Settings\" sUncheckAutoDetect = Array( 60,0,0,0,3,0,0,0,3,0,0,0,16,0,0,0,78,111,73,110,_ 116,101,114,110,101,116,65,99,99,101,115,115,0,0,0,0,0,0,0,_ 0,0,0,0,0,27,0,0,0,104,116,116,112,58,47,47,78,111,73,110,_ 116,101,114,110,101,116,65,99,99,101,115,115,32,0,0,0,0,0,0,0,_ 0,0,0,0,0,0,0,0,0,0,0,0,0 ) On Error Resume Next bResult = oWmiReg.GetBinaryValue( HKEY_USERS, "SSW" & sRegpath & "Connections" , "DefaultConnectionSettings" , sDefaultConnValue ) bregread = oWmiReg.GetExpandedStringValue( HKEY_USERS, "SSW" & sRegpath , "AutoConfigURL" , sAutoConfig ) If bregread <> 0 Then sAutoConfig = "" If IsArray(sDefaultConnValue) Then ReDim Preserve sDefaultConnValue(uBound(sDefaultConnValue)) If bDisableIE = "disable" Then ' ~~~ Store the current internet settings in a separate Reg hive Internet Settings RegWrite sRootKeyS & sIEConnRegPath & "CurrentIntConn" , sDefaultConnValue , "REG_BINARY" RegWrite sRootKeyS & sIEConnRegPath & "ProxyServer" , sProxyServer , "REG_EXPAND_SZ" RegWrite sRootKeyS & sIEConnRegPath & "AutoConfigURL" , sAutoConfig , "REG_EXPAND_SZ" RegWrite sRootKeyS & sIEConnRegPath & "ProxyEnable" , bProxyEnable , "REG_DWORD" RegWrite sRootKeyS & sRegpath & "AutoConfigURL" , "" , "REG_SZ" RegWrite sRootKeyS & sRegpath & "ProxyEnable" , 1 , "REG_DWORD" RegWrite sRootKeyS & sRegpath & "MigrateProxy" , 1 , "REG_DWORD" RegWrite sRootKeyS & sRegpath & "Connections\DefaultConnectionSettings" , sUncheckAutoDetect , "REG_BINARY" Else oWmiReg.GetBinaryValue HKEY_USERS, "SSW" & sIEConnRegPath ,"CurrentIntConn" ,sCurrentIntConn sAutoConfigURL = RegRead ( sRootKeyS & sIEConnRegPath & "AutoConfigURL" ) sProxyServervalue = RegRead ( sRootKeyS & sIEConnRegPath & "ProxyServer" ) iProxyEnable = RegRead ( sRootKeyS & sIEConnRegPath & "ProxyEnable" ) RegWrite sRootKeyS & sRegpath & "Connections\DefaultConnectionSettings" , sCurrentIntConn , "REG_BINARY" RegWrite sRootKeyS & sRegpath & "AutoConfigURL" , sAutoConfigURL , "REG_EXPAND_SZ" RegWrite sRootKeyS & sRegpath & "ProxyServer" , sProxyServervalue , "REG_EXPAND_SZ" RegWrite sRootKeyS & sRegpath & "ProxyEnable" , iProxyEnable , "REG_DWORD" End If Else RegWrite sRootKeyS & sIEConnRegPath & "CurrentIntConn" , sUncheckAutoDetect , "REG_BINARY" RegWrite sRootKeyS & sIEConnRegPath & "ProxyServer" , "" , "REG_EXPAND_SZ" RegWrite sRootKeyS & sIEConnRegPath & "AutoConfigURL" , "" , "REG_EXPAND_SZ" RegWrite sRootKeyS & sIEConnRegPath & "ProxyEnable" , 1 , "REG_DWORD" RegWrite sRootKeyS & sRegpath & "MigrateProxy" , 1 , "REG_DWORD" RegWrite sRootKeyS & sRegpath & "Connections\" & "DefaultConnectionSettings" , sUncheckAutoDetect , "REG_BINARY" End If End Function End Class