Dropping user privileges at login

[Matthew Miller]

Hello,

I work in a high school computer lab and I need to restrict the
privileges that the users have after they are logged in. This would
seem to be something straight forward to do, let me explain why it
isn't:

All of the computers in the lab are protected by deepfreeze. This
program causes the computer, after it reboots, to revert to the privious
state; if you create a file it is now gone, a deleted or modified file
is returned to how it was orginially. I have not been able to convence
the IT people to give me the deepfreeze password, sigh.

Novell (version 5?) is used to provide the user accounts and network
shares. I do have admin rights on the Novell server and through the
login script I can have an arbitrary program run at startup. I already
use this feature to run a program that appends entries to the hosts file.

The trouble is that when a student logs in they have Admin privileges
and can install anything, edit any file, and so on. The changes aren't
saved through a reboot anyway... I want to be able to write a program
or use an existing one to remove these privileges at login. Is there
a Win32 API that will allow me to do this? Can anyone provide pointers.

I am also open to other ideas. My main objective is to prevent editing
of the hosts file should a student discover it. If you can't suggest
a solution, but instead want to reply and rant about our IT admins,
please feel free! Oh, these machines all use WinXP Pro, I'm not
sure which SP, but I bet it is SP1.

Thanks for any help. Matthew

 

[Pegasus \(MVP\)]

Hello,

I work in a high school computer lab and I need to restrict the
privileges that the users have after they are logged in. This would
seem to be something straight forward to do, let me explain why it
isn't:

All of the computers in the lab are protected by deepfreeze. This
program causes the computer, after it reboots, to revert to the privious
state; if you create a file it is now gone, a deleted or modified file
is returned to how it was orginially. I have not been able to convence
the IT people to give me the deepfreeze password, sigh.

Novell (version 5?) is used to provide the user accounts and network
shares. I do have admin rights on the Novell server and through the
login script I can have an arbitrary program run at startup. I already
use this feature to run a program that appends entries to the hosts file.

The trouble is that when a student logs in they have Admin privileges
and can install anything, edit any file, and so on. The changes aren't
saved through a reboot anyway... I want to be able to write a program
or use an existing one to remove these privileges at login. Is there
a Win32 API that will allow me to do this? Can anyone provide pointers.

I am also open to other ideas. My main objective is to prevent editing
of the hosts file should a student discover it. If you can't suggest
a solution, but instead want to reply and rant about our IT admins,
please feel free! Oh, these machines all use WinXP Pro, I'm not
sure which SP, but I bet it is SP1.

Thanks for any help. Matthew

If the students are administrators at the start of the session
then you can drop them back to users level by including
this command in the logon script:

net localgroup administrator %UserName% /del and/or
net group "domain admins" %UserName% /del

But why would you bother? Nothing appears to be saved anyway . . .

 

[Disciple]

On Thu, 09 Feb 2006 21:12:23 -0500, Matthew Miller wrote:

[...]

... but instead want to reply and rant about our IT admins, please feel
free! Oh, these machines all use WinXP Pro, I'm not sure which SP,
but I bet it is SP1.

Not ranting about the admins, I don't know enough about the school boards
policies to make a comment. But there was a teacher, I think in the same
capacity as you, fired in DeKalb Co. Georgia. His crime, installing and
running SETI at Home, or a similar type program that runs when the computer
screensaver kicks in. His argument was that it is only a screensaver. The
school boards argument was that it is strictly forbidden for anyone to
install unauthorized programs. The battle was taken to Superior Court and
the school board was upheld.

 

[Matthew Miller]

Hello,

If the students are administrators at the start of the session
then you can drop them back to users level by including
this command in the logon script:

net localgroup administrator %UserName% /del and/or
net group "domain admins" %UserName% /del

This seems to be exactly what I need. I just hope that the Novell login
script provides a way to get the username. Or is %UserName% a variable
that would be substituted if I put the above commands in a .bat file?

But why would you bother? Nothing appears to be saved anyway . . .

Because at login a program I wrote appends entries to the hosts file
to redirect any attempts to access myspace.com. If I don't find a
way to restrict their privileges they may learn about the hosts file
and edit out my additions.

Thanks for your help!

Matthew

 

[Matthew Miller]

On Thu, 09 Feb 2006 21:12:23 -0500, Matthew Miller wrote:

[...]

... but instead want to reply and rant about our IT admins, please feel
free! Oh, these machines all use WinXP Pro, I'm not sure which SP,
but I bet it is SP1.

Not ranting about the admins, I don't know enough about the school boards
policies to make a comment. But there was a teacher, I think in the same
capacity as you, fired in DeKalb Co. Georgia. His crime, installing and
running SETI at Home, or a similar type program that runs when the computer
screensaver kicks in. His argument was that it is only a screensaver. The
school boards argument was that it is strictly forbidden for anyone to
install unauthorized programs. The battle was taken to Superior Court and
the school board was upheld.

I remember that case. Thanks for bringing this up. I don't think what I'm
doing will be a problem though since I'm trying to curb student behavior.

Matthew