Dropping user privileges at login

Hello,

I work in a high school computer lab and I need to restrict the
privileges that the users have after they are logged in. This would
seem to be something straight forward to do, let me explain why it
isn't:

All of the computers in the lab are protected by deepfreeze. This
program causes the computer, after it reboots, to revert to the privious
state; if you create a file it is now gone, a deleted or modified file
is returned to how it was orginially. I have not been able to convence
the IT people to give me the deepfreeze password, sigh.

Novell (version 5?) is used to provide the user accounts and network
shares. I do have admin rights on the Novell server and through the
login script I can have an arbitrary program run at startup. I already
use this feature to run a program that appends entries to the hosts file.

The trouble is that when a student logs in they have Admin privileges
and can install anything, edit any file, and so on. The changes aren't
saved through a reboot anyway... I want to be able to write a program
or use an existing one to remove these privileges at login. Is there
a Win32 API that will allow me to do this? Can anyone provide pointers.

I am also open to other ideas. My main objective is to prevent editing
of the hosts file should a student discover it. If you can't suggest
a solution, but instead want to reply and rant about our IT admins,
please feel free! Oh, these machines all use WinXP Pro, I'm not
sure which SP, but I bet it is SP1.

Thanks for any help. Matthew

"Matthew Miller" <namille2@vt.edu> wrote in message
news:a46a7$43ebf687$d8186296$26561@NAXS.COM...
> Hello,
>
> I work in a high school computer lab and I need to restrict the
> privileges that the users have after they are logged in. This would
> seem to be something straight forward to do, let me explain why it
> isn't:
>
> All of the computers in the lab are protected by deepfreeze. This
> program causes the computer, after it reboots, to revert to the privious
> state; if you create a file it is now gone, a deleted or modified file
> is returned to how it was orginially. I have not been able to convence
> the IT people to give me the deepfreeze password, sigh.
>
> Novell (version 5?) is used to provide the user accounts and network
> shares. I do have admin rights on the Novell server and through the
> login script I can have an arbitrary program run at startup. I already
> use this feature to run a program that appends entries to the hosts file.
>
> The trouble is that when a student logs in they have Admin privileges
> and can install anything, edit any file, and so on. The changes aren't
> saved through a reboot anyway... I want to be able to write a program
> or use an existing one to remove these privileges at login. Is there
> a Win32 API that will allow me to do this? Can anyone provide pointers.
>
> I am also open to other ideas. My main objective is to prevent editing
> of the hosts file should a student discover it. If you can't suggest
> a solution, but instead want to reply and rant about our IT admins,
> please feel free! Oh, these machines all use WinXP Pro, I'm not
> sure which SP, but I bet it is SP1.
>
> Thanks for any help. Matthew

If the students are administrators at the start of the session
then you can drop them back to users level by including
this command in the logon script:

net localgroup administrator %UserName% /del and/or
net group "domain admins" %UserName% /del

But why would you bother? Nothing appears to be saved anyway . . .

On Thu, 09 Feb 2006 21:12:23 -0500, Matthew Miller wrote:

[...]

> ... but instead want to reply and rant about our IT admins, please feel
> free! Oh, these machines all use WinXP Pro, I'm not sure which SP,
> but I bet it is SP1.

Not ranting about the admins, I don't know enough about the school boards
policies to make a comment. But there was a teacher, I think in the same
capacity as you, fired in DeKalb Co. Georgia. His crime, installing and
running SETI at Home, or a similar type program that runs when the computer
screensaver kicks in. His argument was that it is only a screensaver. The
school boards argument was that it is strictly forbidden for anyone to
install unauthorized programs. The battle was taken to Superior Court and
the school board was upheld.

--
Disciple - Team Z
If we live in the Spirit, let us also walk in the Spirit. Gal.5:25

Hello,

On 2006-02-10, Pegasus (MVP) <I.can@fly.com> wrote:
>
> If the students are administrators at the start of the session
> then you can drop them back to users level by including
> this command in the logon script:
>
> net localgroup administrator %UserName% /del and/or
> net group "domain admins" %UserName% /del

This seems to be exactly what I need. I just hope that the Novell login
script provides a way to get the username. Or is %UserName% a variable
that would be substituted if I put the above commands in a .bat file?

> But why would you bother? Nothing appears to be saved anyway . . .

Because at login a program I wrote appends entries to the hosts file
to redirect any attempts to access myspace.com. If I don't find a
way to restrict their privileges they may learn about the hosts file
and edit out my additions.

Thanks for your help!

Matthew

On 2006-02-10, Disciple <Disciple@invalid.invalid> wrote:
> On Thu, 09 Feb 2006 21:12:23 -0500, Matthew Miller wrote:
>
> [...]
>
>> ... but instead want to reply and rant about our IT admins, please feel
>> free! Oh, these machines all use WinXP Pro, I'm not sure which SP,
>> but I bet it is SP1.
>
> Not ranting about the admins, I don't know enough about the school boards
> policies to make a comment. But there was a teacher, I think in the same
> capacity as you, fired in DeKalb Co. Georgia. His crime, installing and
> running SETI at Home, or a similar type program that runs when the computer
> screensaver kicks in. His argument was that it is only a screensaver. The
> school boards argument was that it is strictly forbidden for anyone to
> install unauthorized programs. The battle was taken to Superior Court and
> the school board was upheld.

I remember that case. Thanks for bringing this up. I don't think what I'm
doing will be a problem though since I'm trying to curb student behavior.

Matthew