I have created a pair of scripts that log when a user logs on and off to workstaions on a domain.

A basic overview of how the system works is as follows:

• A share located on an Active Directory server
• A logon script
• A logoff script
• Group Policy to launch the scripts

Setting up the system:

• Create a directory called AUDIT on a server, as it will only be containing plain text making it a compressed folder is quite beneficial.
• Create two folders within it, one called Computers and the other called Users. [fig.1]
• Share this folder as Audit [fig.2]
• Set the SHARE permissions as Everyone | Full Control [fig.3]
• Set the NTFS permissions as: [fig.4]
  • Administrators | Full Control
  • CREATOR OWNER | Special Permissions [fig.5]
  • SYSTEM | Full Control
  • Users | Write
• Compare your NTFS security with this CACLS output.  If it is different check the above steps. [fig.6]
• Edit Audit_Logon.bat and Audit_Logoff.bat to point to the newly created share on your server.
• Set-up the GPO to run the scripts for Users when they logon and logoff respectively.

Sit back and watch the text files fill up with nicely audited information.

I have recently implemented a RSA SecurID infrastructure to provide secure two-factor authentication over both local login to servers and workstations and also EAP VPN authentication.  This was initially using SID700 tokens and worked brilliantly.  Since then we have purchased a number of SID800 tokens which have USB connectors built-in to automatically passthrough the code on the display.

Unfortunatly I have been unable to get them to fully integrate with the logon GINA and still allow full VPN EAP support, until now!

There is not a lot of documentation around doing this with the SID800 tokens so below is the highlevel overview of what I have installed to get them to work, in order:

• Microsoft USB CCID hardware drivers
• RSA Authentication Agent 6.1
• RSA Authentication Agent 6.1.2 patch
• RSA Authenticator Utility

If anyone would like further details please drop me an email and I will do my best to help you out.

The next issue I have encountered is Windows XP’s requirement for an IDE floppy disk drive during the text mode install stage.  As the laptop has a SATA controller Windows XP does not have the driver support built in, normally you would just download the drivers and during the text mode install press F6 to add additional drivers, not a chance!  Without getting too descriptive about the problem the easiest solution was to build a new Windows XP installation CD with the drivers integrated into the CD.  The easiest way to achieve this is to use nLite.

nLite is a tool for permanent Windows components removal and pre-installation Windows configuration. After removal there is an option to make bootable image ready for burning on cd or testing in virtual machines.
With nLite you will be able to have Windows installation which on install does not include, or even contain on cd, the unwanted components.

Features

• Service Pack Integration
• Component Removal
• Unattended Setup
• Driver Integration *
• Hotfixes Integration **
• Tweaks
• Services Configuration
• Patches ***
• Bootable ISO creation

* - Textmode (CD Boot) and normal PnP
** - hotfixes with white icons, *KB*.exe, including update packs
and Internet Explorer 7
***- supports generic SFC, Uxtheme, TcpIp and Usb Polling patching.

Well my new work laptop has arrived but being able to use it with our standard corporate build does not appear so straightforward.  Firstly the workstation management software we use, Novell Zenworks, does not support the hardware ‘out-of-the-box’ so after a short while I found the following solution:

• Download the latest Zenworks for Desktops 7.1 Hot Patch 5 boot cd from Novell
• Boot the laptop using this an d at the imaging menu select ‘Manual mode’
• An error will occur saying that it was unable to load the network module
• Type the following commands at the bash prompt
  • modprobe tg3
  • ifconfig eth0 up
  • dhcpcd
  • img
• This will initialise the network card to allow you to image the laptop.

There is a known issue that if you use a non-BMP wallpaper in a roaming profile using Microsoft Windows, it will not roam with the user.  To resolve this I created a script that when used as a logoff script, it will enable the wallpaper to roam.

MoveJPGWallpaper.vbs

Further to this I would highly recommend that you implement the User Profile Hive Cleanup Service which is a free download from Microsoft.com.  The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off. System processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending. This can result in problems when using Roaming User Profiles in a server environment or when using locked profiles as implemented through the Shared Computer Toolkit for Windows XP.

I would also recommend that you use the Microsoft Group Policy Management Console (GPMC) as this will give you a far greater level of control over your GPO’s.