Disable Windows Games Using Software Restriction Policy

Do you find that your users spend more time in freecell and minesweeper than actually doing work? Then one would say that it is time to block those applications from being started. To do this you can use the Software Restriction Policy that is Built in to Group Policy and your Domain. What you will need to do is create a new Group Policy, you could call it “No Windows Games” and then Edit it and drill down into Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies from there you will probably be presented with “No Software Restriction Policies Defined” now right click back on Software Restriction Polices in the tree view on the left and select Create New Policies. Now you should have the option for Additional Rules. This is where you need your restrictions. Here is the long article about what the different types of rules are, and what you can do with the from Microsoft, but since we just want to block Windows Games we just need to add a New Path Rules with the Disallowed option.

  • %SystemRoot%\system32\freecell.exe
  • %SystemRoot%\system32\mshearts.exe
  • %SystemRoot%\system32\sol.exe
  • %SystemRoot%\system32\spider.exe
  • %SystemRoot%\system32\winmine.exe
  • C:\Program Files\MSN Gaming Zone
  • C:\Program Files\Windows NT\Pinball\PINBALL.EXE

Once these restriction are in place you can link them to the OU or workstations to make them take effect. Your end result should look something like this:
No Windows Games Group Policy

Read More

Passing Parameters to VB Script to Map Network Drives

The other day I got an instant message from a fellow network administrator asking for a script that would map drives to by simply passing parameters from command line. This caused me to go into Google mode checking how parameters are passed in to Visual Basic Script and then applying the basic network drive mapping script. Now I feel that only the proper thing to do is share it with everyone out there that is looking for the same thing he was. This is a very simple script that does something equally simple. Hopefully this will simply some of the group policies that are out there.

Usage: mapme.vbs Z //server/share

This would result in passing Z as the drive letter and mapping it to the UNC path of //server/share

Set objArgs = WScript.Arguments
Set objNetwork = WScript.CreateObject("WScript.Network")
objNetwork.MapNetworkDrive  objArgs(0) & ":" , objArgs(1)

Read More

Remove Temporary Files at Logoff

Over time users tend to open a lot of items programs that write little files to be used just once to print a document or a small setting for a program. These items build up over time and cause your computer to run slower due to your antivirus solution scanning it, your hard drive taking longer to find a free space of disk to write your new file or has to spend more time gathering up fragments of your file from in between these temp files. The solution here is pretty simple, these files need to go, and probably the easiest solution is the remove them when the user logs off. This doesn’t require anymore time for the user and typically isn’t a problem since most computers are logged on and off once a day.

This script will remove the most common temporary folder for the user as well as remove any of the temporary internet files that they have gathered while surfing the web. When we implemented this script we noticed that the antivirus scan time and how many files it scanned were significantly reduced providing a better and faster workstation for your users. This script should be placed in the Group Policy for users as one of their logoff script.

Const TEMPORARY_INTERNET_FILES = &H20&
dim intDepth
 
Set objShell = CreateObject("Shell.Application")
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Clean User Temporary Intenet Files
Set objNameSpace = objShell.Namespace(TEMPORARY_INTERNET_FILES)
Set objFolderItem = objNameSpace.Self
set objFolder=objFSO.GetFolder(objFolderItem.Path)
intDepth=0
RemoveFolder objFolder

'Clean User Temp Files
Const TemporaryFolder = 2
Set tempFolder = objFSO.GetSpecialFolder(TemporaryFolder)
RemoveFolder tempFolder

 
sub RemoveFolder(objFolder)
	' Recursively remove files and folders
	intDepth=intDepth+1
	on error resume next
	for each objFile in objFolder.Files
		objFile.Delete true
	next
	Err.Clear
	on error goto 0
	for each objSubfolder in objFolder.SubFolders
		RemoveFolder objSubFolder
	next
	intDepth=intDepth-1
	if intDepth<>0 then' Don't delete top-level folder
		on error resume next
		objFolder.Delete true 
		err.Clear
		on error goto 0
	end if
end sub

Read More

Allow Users on Domain to Control Power Settings

In some domain environments you need to allow some control back to the users where they can manage it best. A perfect example of this is Power Settings, by default a normal domain user does not have the rights to control the power settings on the PC. This can lead to the computer turning off the monitor or going to standby at inopportune times. A way to solve this problem is by modifying the registry so any user authenticated / interactive user can modify these settings. To do this you need to use the regini.exe, it allows you to modify permissions in the registry from command line. Basically anything under registry key: (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\) need to be given permissions to be modify by the user. Below I have included some code that needs to be placed in a text file for parameters to pass to regini.exe during workstation start up.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\0 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\1 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\2 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\3 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\4 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\5 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\0 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\1 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\2 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\3 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\4 [1 5 7 11 17 21]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\ProcessorPolicies\5 [1 5 7 11 17 21]

Once you have this file made save it Machine Startup Scripts directory for Group Policy. Then add the following entry to the Group Policy (shown below) and the users should now be able to modify their computers power settings.

Regini.exe with Parameter
Regini.exe with Parameter

For more detail on parameters or what exactly regini.exe can do for you hop on over to Microsoft KB 237607.

Read More

List Local Accounts from Computers in Active Directory

When you finally take the plunge and decided that the only way to take your business to the next level is to setup a true client/server environment, here is a script to help you clean up those old accounts. When you convert to an Active Directory structure, you need to remove all the old local user accounts. This will reduce the security risks by removing accounts that you can’t force to conform to the rules setup by Group Policy. Also, if you were running these users as Administrators or Power Users and now have limited them down to a Standard user, without removing their old local accounts they may have elevated rights that they don’t need. Using this script you can query every computer in you Active Directory and get a list in CSV that you can use to know where that accounts are that need to be removed. In this script you can modify the output file so you can save the file where you want. You will also need to modify the Active Directory information to match your Domain configuration.

Tip: You can remotely connect other computers on your domain using “compmgmt.msc /computer:[remote computer]” from there you can manage user accounts in Local Users and Groups.

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "MYDomainController" 'put domain controller here

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from LDAP://DC=subdomain,DC=zim,DC=local' " _  'update this with your AD information
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
	LocalUsers objRecordSet.Fields("Name").Value, "C:\localaccounts.csv" 'adjust output file name as needed
    objRecordSet.MoveNext
Loop

Sub LocalUsers(strComputer, strFilename)
	On Error Resume Next
	Set StdOut = WScript.StdOut
	 
	Set objFSO = CreateObject("scripting.filesystemobject")
	Set logStream = objFSO.opentextfile(strFilename, 8, True)
	 
	Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
	If Err.Number Then
	      logStream.writeline(strComputer & ",Offline")
	      Err.Clear
	Else
		Set colAccounts = GetObject("WinNT://" & strComputer)
		colAccounts.Filter = Array("user")

		For Each objUser In colAccounts
		        logStream.writeline(strComputer & ",Online," & objUser.Name & "," & objUser.AccountDisabled) 
		Next
	End If

	logStream.Close
End Sub

Read More