I want to disable all scripting and command prompt access for my win2000
users. So I need a (flexible) alternative to my current login script as this
wont run after the setting in AD is applied. Currently it maps 3 drives,
copies a few files from server to workstation, deletes a few local files and
sets the time.

any ideas?

Hi Fabrussio,

We lock down some users and don't allow access to the command prompt but
logon scripts still run without problems. We also use group policy
(computer>admin templates>system/logon>run these programs at user logon) to
define printers, shares etc. These run as the local machine rather than the
user so you can lock them down all you want.

--
Scott Baldridge
Windows Server MVP, MCSE


"Fabrussio"
>I want to disable all scripting and command prompt access for my win2000
> users. So I need a (flexible) alternative to my current login script as
> this
> wont run after the setting in AD is applied. Currently it maps 3 drives,
> copies a few files from server to workstation, deletes a few local files
> and
> sets the time.
>
> any ideas?

Do you 'disable command scripting' as well in the same bit of the GPO? (If
you don't they can still run .bat files). I have tried your suggestion and
just get a command window open with an admin restriction message.

Thanks 4 reply

"NIC Student" wrote:

> Hi Fabrussio,
>
> We lock down some users and don't allow access to the command prompt but
> logon scripts still run without problems. We also use group policy
> (computer>admin templates>system/logon>run these programs at user logon) to
> define printers, shares etc. These run as the local machine rather than the
> user so you can lock them down all you want.
>
> --
> Scott Baldridge
> Windows Server MVP, MCSE
>
>
> "Fabrussio"
> >I want to disable all scripting and command prompt access for my win2000
> > users. So I need a (flexible) alternative to my current login script as
> > this
> > wont run after the setting in AD is applied. Currently it maps 3 drives,
> > copies a few files from server to workstation, deletes a few local files
> > and
> > sets the time.
> >
> > any ideas?
>
>
>

No, we don't use 'disable command scripting', we just block access to the
comand prompt. Maybe you could use the "run only approved apps" GPO instead
(Win2003 uses hashing to prevent renaming of apps). Or maybe you could
write an app (exe) to map drives, etc. There are tons of development
newgroups to assist you.

--
Scott Baldridge
Windows Server MVP, MCSE


"Fabrussio"
> Do you 'disable command scripting' as well in the same bit of the GPO? (If
> you don't they can still run .bat files). I have tried your suggestion and
> just get a command window open with an admin restriction message.
>
> Thanks 4 reply
>
> "NIC Student" wrote:
>
>> Hi Fabrussio,
>>
>> We lock down some users and don't allow access to the command prompt but
>> logon scripts still run without problems. We also use group policy
>> (computer>admin templates>system/logon>run these programs at user logon)
>> to
>> define printers, shares etc. These run as the local machine rather than
>> the
>> user so you can lock them down all you want.
>>
>> --
>> Scott Baldridge
>> Windows Server MVP, MCSE
>>
>>
>> "Fabrussio"
>> >I want to disable all scripting and command prompt access for my win2000
>> > users. So I need a (flexible) alternative to my current login script as
>> > this
>> > wont run after the setting in AD is applied. Currently it maps 3
>> > drives,
>> > copies a few files from server to workstation, deletes a few local
>> > files
>> > and
>> > sets the time.
>> >
>> > any ideas?
>>
>>
>>