Contents
1. Introduction
1.1 A word about user profiles
2. Making preparations
2.1 Registry settings for the local machine
2.2 Preparing policies
2.3 Recommended policies
2.4 Setting policies with DOSETPOL.BAT
2.5 Keeping shortcuts in a safe place
3. User profiles and policies
3.1 Enabling roaming profiles
3.2 Creating the profiles for the janitors
3.3 Establishing the environment for the default user
4. Creating the golden image
5. Inaugurating new user accounts
5.1 Applying the proper policy
5.2 Locking user profiles
6. Advanced topics
6.1 Creating a simple list with usernames and passwords
6.2 Creating individual password letters
7. Concluding remarks
This chapter deals with the last steps before the final 'golden image'
can be created with g4u.
The following steps were taken in previous chapters.
This chapter discusses the steps to take before the final 'golden
image' of the workstation can be created. The following needs to be
done.
- All shortcuts to the applications need to be stored in a safe
place in order to assign them to the users lateron (see chapter IX. Shortcuts, desktops and start
menus).
- Policies need to be prepared for pupils, teachers and other users.
- Personal profiles must be enabled on the workstation.
- The minimalistic policy for the default user must be established.
In the early DOS-days there was no notion of 'personal settings': all
files and all applications on the workstation were accessible to
anyone that happened to sit at the keyboard. It meant that every
computer user could also act as the computer's administrator. That
notion has evolved over time. With the introduction of Windows 95 it
was recognised that different users can use the same workstation at
different times. This called for a mechanism to store personal
preferences in such a way that every user could have the option to
change settings without changing the settings for other users of the
same workstation. These personal settings are known as a 'user
profile'.
Technically speaking the personal settings consist of the following
elements:
- The user settings in the registry (the file
USER.DAT).
- The shortcuts (icons) on the user's Desktop (
.LNK and
.PIF files)
- The shortcuts (icons) in the user's Start Menu (
.LNK and
.PIF files)
These settings are merged with global settings for 'All Users'. The
combination of the settings for 'All Users' and the personal settings
together make up the working environment for the user.
By default Windows 98 still uses the 'one-size-fits-all'-approach: all
users share the same settings on a workstation. Note that some of
these settings may originate in the 'All Users' settings where others
are stored in USER.DAT. This behaviour can be
changed in such a way that every user has a personal
profile. That is: every user gets a personal
USER.DAT and (optionally) a personal set of Desktop
shortcuts and (optionally) a personal set of Start Menu
shortcuts.
ServerAtSchool uses these features: every user gets a
personal USER.DAT and a personal set of Desktop
shortcuts. Users also get their own personal Start Menu, even though
it usually is empty.
The difference between 'user' and 'administrator' has become more
distinct in later versions of Microsoft Windows, notably in the
Windows NT line. In Windows 98 the system registry can be used to make
it more difficult for ordinary users to perform administrator
tasks. However, this is no tight security by any standard.
When a Windows 98 workstation is used in a network it becomes possible
to store the personal profile on the central server. That allows for
using the same profile on different machines. This is called a
'roaming profile' or a 'roving profile'. It means that it no longer
matters which workstation users use because the profile is the same.
The roving profiles for Windows 98 workstations are stored on the
ServerAtSchool server, under the user's home directory in
H:\.profile\USER.DAT, H:\.profile\Desktop
and H:\.profile\Start Menu.
When a user successfully logs on to the network, the file
USER.DAT is copied from the server to the workstation as
are the shortcuts from the Desktop and the Start Menu. After logging
out any changed settings in USER.DAT are copied back to
the server. Any shortcuts added to Desktop and Start Menu are also
copied to the server. At that point any shortcuts that were removed by
the user are also removed from the server.
It is important to note that any changed settings are copied back to
the server at logout time. It means that when a user is logged in
multiple times there are multiple copies of the profile floating
around. The last one to logout will overwrite the profile as
it is stored on the server with the latest settings. This can lead to
confusing situations with multiple simultaneous sessions.
When a user does not log on to the network, the so-called
default profile is used on the workstation. This profile is equal to
the 'one-size-fits-all' profile that existed on the workstation before
the personal profiles were enabled. It is important to make sure that
this profile has as little privileges as possible.
NOTICE: This profile of the default user is also used when a new user
logs on and off for the first time. It is used as the starting point
for the profile of the new user.
Before the personal profiles can be enabled and the 'golden image' can
be created, a few things have to be prepared. First a few registry
settings for the local machine have to be configured
correctly. Subsequently all available shortcuts must be stored in a
safe place, for future reference. Finally policies for pupils and
teachers must be prepared.
A few registry settings have already been discussed in earlier
chapters. For completeness' sake they are repeated below. A good place
to store these .REG files would be the directory
H:\My Documents\janitors\regedit.
By storing the changes in a .REG file and
importing this file with REGEDIT.EXE you minimise the
risk of rendering the workstation unusable due to a typing error.
This is the contents of the file PWDCACHE.REG.
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001 |
Applying this change in the registry makes sure that passwords will
not be cached on the workstation. See section 11.2.5 Password caching in chapter
IV. Workstation setup for more
information.
This is the contents of the file USERNAME.REG.
REGEDIT4
[HKEY_LOCAL_MACHINE\Network\Logon]
"username"="" |
Applying this change removes the name of the user that was logged in
last. This file should be applied every time before an image is made. The
file shown here leaves the username field empty. You can change this
to any text (20 characters maximum).
If you never want to show the name of the
previous user on the workstation you could use the register
setting as shown in the file LASTUSER.REG below. Note
that this change needs to be applied only once.
REGEDIT4
[HKEY_LOCAL_MACHINE\Network\Logon]
"DontShowLastUser"=dword:00000001 |
See section 11.2.8 Dealing with the
previous user logon in chapter IV. Workstation setup for more
information.
If you want to apply a .REG file to the Registry, you
should take the following steps.
- If necessary (re)boot the workstation and login to the network
using the special 'scholar' account.
- Navigate to: H:\My Documents\janitors\regedit
- Doubleclick on the
.REG file you wish to apply.
- A message box appears, asking you for a confirmation to apply the
changes to the Registry.
- Press [Yes] to confirm the dialogue. The adjustements will be made
to the Registry.
- Depending on the nature of the changed settings in the Registry,
the changes take effect immediately, after logout and subsequent
login or even after the next (re)boot.
NOTICE:
You can also apply these changes by executing REGEDIT.EXE
from the command line or via Start | Run and specifying the name of
the .REG file as a parameter, e.g. REGEDIT
PWDCACHE.REG. If you add the command line switch
/S (for 'silent') the change is applied without asking
for confirmation. This can be handy when used from a .BAT
file.
It is very convenient to prepare a few .REG files that
can be applied to the profiles of the various groups of users in order
to enforce policies. We recognise the following four policies.
- ZERO.REG
This policy applies to the default user. This user has the least
privileges of all.
- NEST.REG
This policy applies to the nest accounts, i.e. the accounts the
pupils use to access the network. They have slightly more
privileges compared to the default user.
- TEACHER.REG
This policy applies to the accounts of staff members, notably
teachers. Teachers too, have limited privileges though more than
their pupils.
- JANITOR.REG
This policy does not limit privileges in any way. It is equivalent
to the default Windows 98 'one-size-fits-all' policy.
These four different policies consist of a number of registry
keys. The keys are the same for all four variations. The values can be
different. This makes it easy to use one of the four as the basis for
the others.
You can create these files using any plain Ascii editor,
e.g. NOTEPAD.EXE or EDIT.COM on the
workstation.
NOTICE:
You can also create these files on the server using
nano(1) or vi(1). Note that you have to make
sure that the editor adds both a Carriage Return and a Line Feed at
the end of every line: the DOS-convention for indicating an end of
line. REGEDIT.EXE may have trouble importing Unix-type of
files, with a bare Line Feed at the end of a line.
Below is an example of the most restrictive policy:
ZERO.REG and the corresponding explanation. The
differences between the four policies are detailed in the next section.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoAddPrinter"=dword:00000001
"NoDeletePrinter"=dword:00000001
"NoDrives"=dword:03FFFFFF
"NoDriveTypeAutoRun"=hex:B5,00,00,00
"NoFind"=dword:00000001
"NoNetHood"=dword:00000001
"NoRun"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoSetFolders"=dword:000000001
"NoSetTaskbar"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoNetSetup"=dword:0000001
"NoNetSetupIDPage"=dword:00000001
"NoNetSetupSecurityPage"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=dword:00000001
"NoConfigPage"=dword:00000001
"NoDevMgrPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoDispCPL"=dword:00000001
"NoDispScrSavPage"=dword:00000001
"NoDispSettingsPage"=dword:00000001
"NoFileSysPage"=dword:00000001
"NoProfilePage"=dword:00000001
"NoPwdPage"=dword:00000001
"NoSecCPL"=dword:00000001
"NoVirtMemPage"=dword:00000001
[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\WINDOWS\SETUP.BMP"
[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="255 255 255" |
NOTICE:
The text between the square brackets identifies the exact location
(sometimes called a "cell") within the Registry of the
key-value-pairs that follow. This is comparable with a directory in a
regular file system. Using the same analogy, keys are comparable to
files and the values correspond to the contents of those files. The
keys have an associated data type, often a double word (32-bits
number), identified by dword. Quoted strings are also
very common.
Explanation:
- REGEDIT4: This keyword suggests that the file is a
file that can be imported into the Registry. This word should
appear at the very first line of the file. It should be separated
from the remainder of the file by an empty line.
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- NoAddPrinter: Removes the Add Printer option
from the Start menu and from the Printers folder. Also, users
cannot add printers by dragging a printer icon into the Printers
folder.
- NoDeletePrinter: Prevents users from using
the Printers folder to delete local and network printers.
- NoDrives: Removes the icons representing
selected drives from My Computer and from Windows Explorer. Also,
the drive letters representing the selected drives do not appear
in the standard Open dialogue box. The mapping between drives
and individual bits in this value is discussed in detail in
section 4. Calculating the
NoDrives registry setting in Appendix C. Worksheets. Here are
some commonly used values:
03FFFFFF - suppress all drive letters
03FFFB7F - suppress all drive letters except K: and H:
03FFFB76 - suppress all drive letters except K:,
H:, D: and A:
03DFFB72 - suppress all drive letters except V:, K:,
H:, D:, C: and A:
00000000 - suppress no drive letters at all.
- NoDriveTypeAutoRun: Disables the Autoplay
feature on all drives of the type specified in this bitmapped
value. Autoplay begins reading from a drive as soon as media
is inserted in the drive. As a result, the setup file of a
program or the sound on audio media starts immediately. A full
explanation can be found in section 5. Calculating the
NoDriveTypeAutoRun registry setting in
Appendix C. Worksheets. By
changing the value from
95,00,00,00 (the Windows
default) into B5,00,00,00, we
disable the Autoplay function for CD-ROMs. This includes both
the physical CD-ROM in drive D: and the virtual
CD-ROM in drive K:.
- NoFind: Removes or disables selected search
features. When the value of this entry is 1, the following
features are removed or disabled; when the value is 0, these
features operate normally:
- The Search item is removed from the Start menu and from
the context menu that appears when you right-click the
Start button.
- The system does not respond when users press F3 or the
Application key+F (the Application key has the Windows
logo).
- In Windows Explorer, the Search item still appears on the
Standard Buttons toolbar, but the system does not respond
when the user presses CTRL+F.
- In Windows Explorer, the Search item does not appear in
the context menu when you right-click an icon representing
a drive or a folder.
- NoNetHood: Removes the Network Neighbourhood
icon from the desktop.
- NoRun: Removes the Run command from the Start
Menu and removes the New Task (Run) command from Task
Manager. Also, users with extended keyboards can no longer display
the Run dialogue box by pressing the Application key (the key with
the Windows logo) + R.
- NoSaveSettings: Prevents users from saving
certain changes to the desktop. Users can change the desktop, but some
changes, such as the positions of open windows or the size and
position of the taskbar, are not saved when users log off. Shortcuts
placed on the desktop are always saved.
- NoSetFolders: Prevents Control Panel,
Printers, and Network and Dial-up Connections from running,
and removes the corresponding menu items.
- NoSetTaskbar: This restriction removes
the Taskbar and Start Menu item from the Control Panel, and it
also removes the Properties item from the Start menu context
menu.
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
- NoNetSetup: Enabling this option disables
access to the Network Control Panel icon.
- NoNetSetupIDPage: The Network
Identification page include options to set the Computer Name,
Workgroup and Description, enabling this option disables access to
the Network ID page.
- NoNetSetupSecurityPage: The Access
Control Page, defines whether the computer support User-Level
access or Share-Level access, enabling this option removes access
to the Access Control Page.
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- Start Page: Sets the start page of the
Internet Explorer Browser. By default the ServerAtSchool
server is (also) known as
server.exemplum.serveratschool.net
or simply server. Therefore
http://server/ is a good choice.
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- NoAdminpage: Enabling this function stops
users from being able to change the remote administration settings
for the computer.
- NoConfigPage: This setting when enabled hides
the Hardware Profiles page from the System icon on the Control
Panel.
- NoDevMgrPage: This setting controls whether
the Device Manager is visible, under System in the Control Panel.
- NoDispAppearancePage: Removes the Appearance tab
from Display in Control Panel. As a result, users cannot use the
Display program to change the colors or color scheme of the
desktop and windows.
- NoDispBackgroundPage: Removes the Background tab
from Display in Control Panel. As a result, users cannot use the
Display program to change the pattern or wallpaper on the
desktop.
- NoDispCPL: Prevents Display in Control Panel from
running.
- NoDispScrSavPage: Removes the Screen Saver tab
from Display in Control Panel. As a result, users cannot use
Display to add, configure, or change the screen saver.
- NoDispSettingsPage: Removes the Settings tab from
Display in Control Panel. As a result, users cannot use the
Display program to add, configure, or change the display settings
on the computer.
- NoFileSysPage: This option hides the File System
button from the System icon on the Control Panel.
- NoProfilePage: The user profile page controls
whether all users share or have separate user profiles, access to
this page can be disabled by enabling this setting.
- NoPwdPage: When this setting is enabled, users
are no longer able to access the Change Passwords page.
- NoSecCPL: This option disables access to the
Passwords icon on the control panel, therefore stopping users from
changing security related settings.
- NoVirtMemPage: This option hides the Virtual
Memory button from the System icon on the Control Panel.
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- Wallpaper: This option sets the file that is
displayed as background of the Desktop. If no file is
specified, the desktop is filled with the default background
colour, see 'Background' below. By setting the value to say
C:\WINDOWS\SETUP.BMP for the default user (and
empty for others) it becomes very easy to see
which user is not logged in, even from a distance. You could
also create a .BMP-file which displays the text 'Not Logged In' in
big letters to help users remember that they should login in order
to be able to use the network resources such as the
H: drive and the printers.
- [HKEY_CURRENT_USER\Control Panel\Colors]
- Background: This option sets the default
background colour for the Desktop. This background colour is
visible only when no wallpaper image is defined (see 'Wallpaper'
above). The colour is specified as three numbers in the range from
0 to 255, separated with spaces. The first number is for the
colour red, the second for green and the third one for blue.
Common values are "255 255 255" for all white and
"0 128 128" for the default Windows blue/greenish
background colour.
Below is an overview of recommended policies for the default user
(ZERO.REG), the pupils (NEST.REG), staff
members (TEACHER.REG) and janitors
(JANITOR.REG). You can use this table as a starting point
for your own policies.
Overview of recommended policies.
| Key |
ZERO |
NEST |
TEACHER |
JANITOR |
|
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
| "NoAddPrinter"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoDeletePrinter"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoDrives"=dword: |
03FFFFFF |
03FFFB7F |
03DFFB72 |
00000000 |
| "NoDriveTypeAutoRun"=hex: |
B5,00,00,00 |
B5,00,00,00 |
B5,00,00,00 |
B5,00,00,00 |
| "NoFind"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoNetHood"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoRun"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoSaveSettings"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoSetFolders"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoSetTaskbar"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
|
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
|
| "NoNetSetup"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoNetSetupIDPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoNetSetupSecurityPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
|
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
|
| "Start Page"= |
"" |
"http://server/" |
"http://server/" |
"http://server/" |
|
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
|
| "NoAdminPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoConfigPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoDevMgrPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoDispAppearancePage"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoDispBackgroundPage"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoDispCPL"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoDispScrSavPage"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoDispSettingsPage"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoFileSysPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoProfilePage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
| "NoPwdPage"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoSecCPL"=dword: |
00000001 |
00000001 |
00000000 |
00000000 |
| "NoVirtMemPage"=dword: |
00000001 |
00000001 |
00000001 |
00000000 |
|
[HKEY_CURRENT_USER\Control Panel\Desktop]
|
| "Wallpaper"= |
"C:\WINDOWS\SETUP.BMP" |
"" |
"" |
"" |
|
[HKEY_CURRENT_USER\Control Panel\Colors]
|
| "Background"= |
"255 255 255" |
"0 128 128" |
"0 128 128" |
"0 128 128" |
In this section we will prepare a small script and a
corresponding .PIF file that will assist us lateron to apply policies
to the personal user settings. This requires a copy of the files
ZERO.REG, NEST.REG, TEACHER.REG
and JANITOR.REG on the C: drive, a batch file called
DOSETPOL.BAT and a shortcut on the Desktop that calls the
batch file.
In order to have the various .REG files available at all times, even
when the user is not logged in and hence file shares on the server are
not available, we need to have the files on the local drive.
If you want to copy the .REG files you created in the sections above,
you could take the following steps.
- If necessary (re)boot the workstation and login to the network
using the special 'scholar' account.
- Open a window (using My Computer) and navigate to
C:\WINDOWS\SYSTEM. Do take note of the
warnings that it might be dangerous to change anything in this
directory but continue anyway.
- In a new window, navigate to
H:\My Documents\janitors\regedit.
- Position the windows in such a way that you can easily access them
both.
- Copy the following files from
H:\My
Documents\janitors\regedit to
C:\WINDOWS\SYSTEM:
- ZERO.REG
- NEST.REG
- TEACHER.REG
- JANITOR.REG
- Close both windows.
At this point the prepared files with policies for the various types
of user are copied to the C: drive. These files will become part of
the 'golden image' lateron, making it easier to apply the relevant
file whenever a new user is added.
NOTICE:
Choosing the directory C:\WINDOWS\SYSTEM to store these
files makes it less likely that a casual user will accidently make
changes to the registry by double clicking these files. A determined user,
however, will have no serious problems with changing the registry
anyway. It is a matter of making it harder rather than making
it impossible. If a pupil is smart enough to take this
hurdle and actually change something, you could consider to appoint
this pupil as your Official Helper for Miscellaneous Computer Tasks.
NOTICE:
There are many ways to copy files. The example above is just one
way. You can choose another way to copy files if you wish.
In order to make it easier to apply the various .REG
files, a simple batch file must be constructed. This file should be
created in the directory C:\WINDOWS\COMMAND because this
directory is part of the search path. This will make sure that the
batch file can be found when it needs to be executed. Here is a fully
functional example of this batch file.
@ECHO OFF
REM C:\WINDOWS\COMMAND\DOSETPOL.BAT -- Helper for setting policies
IF NOT EXIST P:\NUL GOTO Farewell
C:\WINDOWS\COMMAND\CHOICE /C:QZNTJ /N Z(ero), N(est), T(eacher), J(anitor) or Q(uit)?
IF ERRORLEVEL == 5 GOTO LabelJ
IF ERRORLEVEL == 4 GOTO LabelT
IF ERRORLEVEL == 3 GOTO LabelN
IF ERRORLEVEL == 2 GOTO LabelZ
IF ERRORLEVEL == 1 GOTO LabelQ
:LabelQ
ECHO Nothing changed
GOTO Byebye
:LabelZ
ECHO ZERO
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\ZERO.REG
GOTO Byebye
:LabelT
ECHO TEACHER
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\TEACHER.REG
GOTO Byebye
:LabelN
ECHO NEST
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\NEST.REG
GOTO Byebye
:LabelJ
ECHO JANITOR
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\JANITOR.REG
GOTO Byebye
:Byebye
ECHO DONE
PAUSE
:Farewell
|
When this script is executed, it first determines whether the user at
the workstation is currently logged in. This is done by testing for
the existence of the file P:\NUL. DOS thinks this file
exists if drive P: exists (see notice below). This drive
only exists when a user is logged in. If DOS thinks this file does
not exist and hence we must conclude that this drive does
not exist, the remainder of the script is skipped
alltogether. The effect is that it looks like nothing happens. This
situation occurs when no user is logged in, i.e. the user hit the
[Esc] key or pressed [Cancel] in the network logon
dialogue. This user may be able to execute the script, but it will
simply do nothing.
If the file P:\NUL does exist, the script
continues with prompting the user for a choice (using
C:\WINDOWS\COMMAND\CHOICE.COM). Valid choices are: 'Q', 'Z',
'N', 'T' and 'J'. Depending on the choice the user makes,
indicated via the error level, processing continues at one of the
labels 'LabelQ', 'LabelZ', 'LabelN', 'LabelT' or 'LabelJ'.
For option 'Q', nothing happens. This can be used to bail out. The
other four options each print a message on the screen and subsequently
apply exactly one of the .REG
files to the registry.
After processing is complete, the message 'DONE' is
written to the screen and the script waits until the famous AnyKey is
pressed (due to the command PAUSE).
NOTICE:
It is important the the order of the options (the letters 'Q', 'Z',
'N', 'T', 'J' in the /C parameter) corresponds with the
error levels. I.e., when you add a sixth letter/option to the list,
you should insert the test for errorlevel 6 before the test
for errorlevel 5.
NOTICE:
The check for the file P:\NUL stems from the old
DOS-days. This trick still works in Windows 98. Every name of a
built-in device such as NUL exists in every directory,
unless the directory itself (or the corresponding drive) does not
exist. This phenomenon can be used to check for the existence of
directories and also for the presence of a particular drive without
having to know the name of an existing file on the drive.
Once you would apply the file ZERO.REG containing the
recommended settings (see 2.3 Recommended
policies) to the Registry, it suddenly would become impossible to
run commands or browse the local C: drive (see the explanations for
NoRun and NoDrives in section 2.2 Preparing policies). Note that NoRun
takes effect immediately even though the option is still visible in
the Start Menu. However, double clicking on shortcuts is still
allowed. Therefore we will be preparing a special shortcut for the
batch file before ZERO.REG will be applied. This
way we allow ourselves access to the policies, even after
NoRun is already active, after applying
ZERO.REG. Note that ZERO.REG will be applied
shortly, in section 3.3 Establishing the environment
for the default user below.
If you want to create a shortcut to DOSETPOL.BAT, you
should take the following steps.
- On the desktop area right-click the mouse. A popup menu appears.
- Navigate to: New | Shortcut. The 'Create Shortcut' dialogue appears.
- In the field 'Command Line' enter:
DOSETPOL.BAT.
- Press [Next] to confirm the dialogue. The 'Select a Title for the
Program' dialogue appears.
- Accept the default name for the shortcut ('Dosetpol'). Press
[Next] to confirm the dialogue. The 'Select an Icon' dialogue appears.
- Select an icon from the icon collection that is displayed.
The picture of a traffic light seems appropriate because, in a way,
applying these policies (denying or allowing access) resembles traffic
control. Press [Finish] to confirm the dialogue.
- The Desktop reappears. A new shortcut called 'Dosetpol' is added
to the Desktop.
- Right-click on the new icon. A popup menu appears.
- Select 'Properties' from the popup menu. The 'Dosetpol Properties'
dialogue appears.
- Navigate to the 'Program' tab and check the box labeled 'Close on
exit'.
- Confirm the dialogue by pressing [OK].
- The Desktop reappears.
At this point there is a shortcut to the batch file. This shortcut
can be used to execute the batch file that was created in the previous
section. We will be using this shortcut whenever a new user account is
inaugurated.
After installing all the educational software in chapter
VII. Installing educational software both
the Desktop and the Start Menu are filled with many shortcuts,
including the shortcut 'Dosetpol' created in the previous section.
It is a good idea to make sure that none of these shortcuts are lost. We will
need the shortcut files (*.LNK and *.PIF)
lateron when we will be assigning shortcuts to individual users.
When we are trimming down the privileges of the default user (see
section 3.3 Establishing the environment for the
default user below) we will be removing all shortcuts for this
default user, except the 'Dosetpol' shortcut. Now is the
last chance to save the shortcuts!
In order to make a copy of all available shortcuts you should take the
following steps.
- If necessary (re)boot the workstation and login to the network
using the special 'scholar' account.
- Navigate to: My Documents | janitors | shortcuts.
- Create a new directory 'all' here. Descend into this new
directory, e.g. by double-clicking it and leave the directory open.
- Right-click on the Start button. A drop down menu appears.
- Click on 'Explore'. An Explorer window with two panes opens. The left hand
pane shows a directory tree, the right hand pane shows the
contents of the Start Menu.
- Re-arrange the positions of the 'all' window and the 'Explorer'
window in such a way that you can easily access both.
- Now drag the whole Start Menu from the left hand pane in Explorer to the new
directory you just created,
using the righthand mouse button.
- Release the righthand mouse button and select 'Copy Here'. The
complete Start Menu will be copied.
- Now return to the Explorer pane which shows the directory
tree.
- Navigate to the directory called 'Desktop'.
- Repeat the procedure and copy Desktop to the new directory
too.
- Navigate to the directory called 'All Users'.
- Repeat the procecedure and copy All Users to the new directory
too.
- Close both windows.
At this point you have made a copy of all available shortcuts
- from the Desktop of the default user;
- from the Start Menu of the default user;
- from the Desktop and Start Menu of All users.
We will sort these out in chapter IX. Shortcuts, desktops and start menus.
(top)
At this point all preparations have been made for smooth transition to
roaming profiles. In this section we will perform the following
actions. First we will 'flip the switch' and enable personal profiles
for all users on this machine. This involves rebooting the
computer.
After that we will create the profile for the special 'scholar'
account and perhaps do the same for the other members of the 'janitor'
group. Then we will 'login' as the default user, do a thorough cleanup
and strip the Desktop and the Start Menu (i.e. removing nearly
all shortcuts). After that the ZERO.REG policy
is applied. At that point the workstation is ready for the final
'golden image'.
The big moment is finally there. The roaming profiles are on the verge
of being enabled. Did you make a 'milestone image' recently?
If you want to enable roaming profiles on this workstation, you should
take the following steps.
- If necessary, completely shutdown the computer. This makes certain
that profiles will be enabled in a clean, uncluttered manner.
- Start the workstation. After a while the 'Enter Network Password'
dialogue appears.
- Do not logon to the network but instead press the
[Esc] key or the [Cancel] button.
- Navigate to: Start | Settings | Control Panel | Passwords. The
'Password Properties' dialogue appears.
- Switch to the tab 'User Profiles'. Note that the option 'All users of
this computer user the same preferences and desktop settings' is
selected and that two check boxes in the frame 'User profile
settings' at the bottom of the dialogue are grayed out.
- Check the box 'Users can customize their preferences and desktop
settings. Windows switches to your personal settings when you log
on'. Note that the 'User profile settings' frame is no longer
grayed out.
- In the frame 'User profile settings' make sure both 'Include desktop
icons and Network Neighbourhood contents in the user settings' and
'Include Start menu and Program goups in user settings' are checked.
- Confirm the dialogue by pressing [OK]. The 'System Settings Change'
dialogue appears.
- Press [Yes] to confirm the dialogue. The workstation will reboot
itself. This may take some time.
- Eventually the 'Enter Network Password' dialogue appears.
At this point personal user profiles are enabled for this workstation.
Until now all user settings and shortcuts were stored on the local
drive C: of the workstation. Now that the personal profiles are
enabled every user has to get their own profile. Such a fresh profile
is patterned after the profile of the default user. At this moment
the profile of the default user is still the same as it was directly
before the personal profiles were enabled.
It is very convenient to keep this profile, for future reference. The
best account to use is the 'scholar' account. The purpose of this
account is to have a 'clean' account that is solely used for the
purpose of installing (educational) software. It seems only natural to
keep all shortcuts and settings in the roaming profile of this
particular account.
It can be efficient for other selected users to have a profile
that is already filled with most if not all available
shortcuts. Suitable accounts would be the accounts of the members of
the predefined group 'janitors'. In the Exemplum Primary School there
are two other members of the group 'janitors': the local systems
administrator Freddie Frinton (userid 'ffrint') and the ICT coordinator
Amelia Cackle (userid 'acackl'). Even though it is not
necessary to let these two janitors have all available
shortcuts it can be very handy. On the other hand: it is not a good
idea to give everyone (including staff members) access to
everything.
If you want to create a 'filled' profile for the 'scholar' account,
you should take the following steps.
- Make sure the 'Enter Network Password' dialogue is displayed.
- Logon to the network using the special 'scholar' account.
- After a while the 'Windows Networking' dialogue is displayed. It
prompts you with the following question: "You have not logged
on at this computer before. Would you like this computer to
retain your individual settings for use when you log on here in
the future?". This is a somewhat strange choice of words. It
means: "You have not yet established a personal
profile on this computer. Do you want to establish such a
profile?" Press [Yes] to confirm the dialogue.
- The 'Creating User Profile' dialogue appears briefly. A blue
progress bar indicates that some files are being copied from the
server to the workstation, into the directory
C:\WINDOWS\Profiles\scholar.
- After a while the Desktop appears. It looks exactly the same as
before, as it should.
- (optional) Apply the relevant policy for this user account using
the shortcut 'Dosetpol' that was created in section
2.4 Setting policies with DOSETPOL.BAT
above. See notice below.
- Navigate to: Start | Log Off Scholar. The 'Log Off Windows' dialogue
appears.
- Press [Yes] to confirm the dialogue. Once again the dialogue 'Creating
User Profile' is displayed briefly and again a blue
progress bar indicates that some files are being copied, this time
in the opposite direction, from the workstation to the server.
- After a while the 'Enter Network Password' dialogue is displayed.
At this point the personal profile for user account 'scholar' has been
established. The next time this account logs on to the network, the
settings for the account will be copied from the server to the
workstation. This includes all the shortcuts that are part of the
personal profile. Any changes to the profile are copied back to the
server after logout. Note that these changes do not affect
other users' settings.
If you want to quickly fill the personal profile for the local systems
administrator and the ICT coordinator too, you should repeat the
procedure outlined above for both accounts.
NOTICE:
At this point no policies may have been applied to the accounts
'scholar' and possibly 'ffrint' (the local systems administrator at
the Exemplum Primary School) and 'acackl' (the ICT coordinator). (See
the optional step 6 above). You
can always apply these policies lateron, if you wish. Please make sure
that you do not apply the restrictive ZERO.REG to your
own account or that of the 'scholar' user, because it really makes
working on the computer hard if you need to perform administrative
tasks such as installing more (educational) software.
At this point all shortcuts have been copied at least once (see
section 2.5 Keeping shortcuts in a safe
place). Furthermore, the special 'scholar' account also
has a copy of almost all the available shortcuts, in
H:\.profile\Desktop and H:\.profile\Start
Menu. Even more copies may exist in the profiles for the local
systems administrator ('ffrint') and the ICT coordinater
('acackl'). Now it is time to remove almost all shortcuts
from the personal environment of the default user. Also, now is the
right time to enforce the restrictive ZERO.REG policy for
the default user.
Please take the following steps.
- If necessary (re)boot the workstation. After a while the 'Enter
Network Password' dialogue appears.
- Do not logon to the network but instead press the
[Esc] key or the [Cancel] button.
- Clean up any superfluous files using the procedure outlined
in section 11.3 Cleaning up
in chapter IV. Workstation
setup. It is very important to clean up the profile of the
default user because it will be the basis for the profile of every
new user. You should at least get rid of
- Cookies,
- Recent files,
- Temporary Internet Files.
This is the last chance for an easy but thorough cleanup.
- Right-click on the Start button. A drop down menu appears.
- Click on 'Explore'. An Explorer window with two panes opens. The left hand
pane shows a directory tree, the right hand pane shows the
contents of the Start Menu.
- In the right hand pane do the following:
- Delete any shortcuts in the Start Menu directory,
possibly the 'Windows Update' shortcuts, perhaps others as
well. Do not delete the directory 'Programs'!
- Descend into 'Programs', e.g. by double clicking.
- Delete everything within this directory except the directory
'StartUp', e.g. by selecting an item and hitting the
[Del]] key.
- Descend into 'StartUp', e.g. by double clicking.
- Delete everything within this directory too.
- Now use the left hand pane to return to the Start Menu by
selecting it. The right hand pane now shows the contents of the
Start Menu consisting of a single subdirectory 'Programs'.
- On the Desktop locate the shortcut called 'Dosetpol' (created in section 2.4 Setting policies with
DOSETPOL.BAT). Move (not copy) this icon to the right
hand pane, into the Start Menu directory.
- In the left hand pane, navigate to the directory 'Desktop'. The
right hand pane shows the contents of the Desktop.
- In the right hand pane do the following:
- Select everything, e.g. by hitting
[Ctrl-A] or
via the menu Edit | Select All.
- Delete the selected items by hitting
[Del].
- Close the window. The (nearly empty) Desktop appears.
- The Desktop should only contain the following items.
- My Computer
- My Documents
- Network Neighbourhood
- Recycle Bin
All other items should be deleted. This includes the
shortcut to DAEMON Tools and other shortcuts. All these shortcuts
originate from the 'All Users' directory discussed earlier. Delete
these remaining shortcuts, e.g. by selecting them and hitting the
[Del] key.
- (optional) You may want to remove any shortcuts from the Quick
Launch bar but please do keep the icon 'Show Desktop'.
- Empty the Recycle Bin by rightclicking on the icon and selecting
the appropriate option from the popup menu. This removes all items
that were deleted in the previous steps.
- Apply the
ZERO.REG policy, e.g. by double clicking the file
C:\WINDOWS\SYSTEM\ZERO.REG. Note that in this case
navigating to Start | Dosetpol will not work because the default
user is not logged in and hence the DOSETPOL.BAT
script will do nothing.
- Shutdown the workstation, e.g. by navigating to: Start | Shut Down
| Shut Down. Confirm the dialogue by pressing [OK]. The workstation
will be shut down.
- If necessary, switch off the workstation.
At this point the environment for the default user has been
established. The workstation has been switchted off, preventing
accidental changes to this workstation. The final step is to create
the ultimate 'golden image' with g4u.
At this point the workstation is ready for creation of the 'golden
image'. The environment for the default user has been restricted as
much as possible, temporary files and other cruft has been removed.
If you want to create the 'golden image' you should take the following
steps.
- (optional) If you want to keep your documentation up-to-date, you
may want to take the following steps.
- Restart the workstation and logon using the special 'scholar'
account.
- Update the file
C:\CONTENTS.TXT and make a note
about the golden image that will be created shortly (see
section 5.1 Documenting your
work in chapter IV. Workstation
setup.
- For the last time process the file
H:\My
Documents\janitors\regedit\USERNAME.REG (see section 2.1.2 USERNAME.REG or LASTUSER.REG above).
- Shutdown the computer.
- Restart the workstation with the g4u floppy.
- Create the golden image using the procedure outlined in section
5. Creating an image of a workstation in chapter
V. Managing disk images with ghost for unix.
At this point you have created the golden image for this
workstation. The image is now ready to be distributed to all the other
workstations.
Every user has to have their own profile. This profile is created
automatically whenever the user logs on to the network for the first
time. The basis for the profile of the new user is the profile of the
default user. In te previous section we did our best to restrict the
profile of the default user as much as possible. We did this by
removing all shortcuts from Desktop and Start Menu and also by
applying the Registry settings from ZERO.REG.
The effect is that any new user that logs in and out for the first
time gets a fairly restricted profile. These restrictions can
selectively be lifted by applying one of the other files to the
Registry, e.g. NEST.REG, TEACHER.REG or even
JANITOR.REG. The procedure to do this for all users is
discussed in section 5.1 Applying the proper
policy below.
The changes from these .REG files eventually end up in
the user's USER.DAT. Section 5.2 Locking
user profiles discusses how a user profile can be locked, i.e. the
user itself can not change any setting in the profile at all. This
feature can be very effective for nests (pupils). Some staff members
could also benefit from a locked profile because it prevents
accidental changes to the profile or deletion of shortcuts. That can
make life easier for the local systems administrator.
If you want establish a profile for a new user, you should take the
following steps.
- (optional) (Re)boot the workstation.
- After a while the 'Enter Network Password' dialogue appears.
- Logon to the network, using the new user's userid and the new
user's password.
- After a while the 'Windows Networking' dialogue is displayed. It
prompts you with the following question: "You have not logged
on at this computer before. Would you like this computer to
retain your individual settings for use when you log on here in
the future?". This is a somewhat strange choice of words. It
means: "You have not yet established a personal
profile on this computer. Do you want to establish such a
profile?" Press [Yes] to confirm the dialogue.
- The 'Creating User Profile' dialogue appears briefly. A blue
progress bar indicates that some files are being copied from the
server to the workstation, into a directory under
C:\WINDOWS\Profiles. This directory has the same name
as the userid of the new user.
- After a while the Desktop appears. It looks exactly the same as
the Desktop for the default user.
- Apply the relevant policy for this user account using
the shortcut 'Dosetpol'. Note that this shortcut for 'Dosetpol'
was added at the top of the Start Menu in section
3.3 Establishing the environment for the default
user. You can start this script by navigating to: Start |
Dosetpol.
- Open the Start Menu once again. Rightclick on the 'Dosetpol'
shortcut. A popup menu appears.
- Select 'Delete' from the popup menu in order to remove the
shortcut from this user's Start Menu. It is no longer needed.
- Empty the Recycle Bin. This makes sure that this user can not
restore this shortcut lateron.
- Navigate to: Start | Log Off userid. The 'Log Off
Windows' dialogue appears.
- Press [Yes] to confirm the dialogue. Once again the dialogue 'Creating
User Profile' is displayed briefly and again a blue
progress bar indicates that some files are being copied, this time
in the opposite direction, from the workstation to the server.
- After a while the 'Enter Network Password' dialogue is displayed
again.
At this point a single profile, including the correct policy, is
established for the new user. This procedure needs to be repeated for
every new user.
After establishing the profile and applying the policy, the Desktop and
the Start Menu of the new user have to be populated. This is discussed
in the chapter IX. Shortcuts, desktops and
start menus.
NOTICE:
If you, in your role of local systems administrator, do not
logon at least once with every new userid, any new user will
end up with the restricted profile of the default user after the first
logon and logoff. That is good. However, by running 'Dosetpol' this
new user can supply herself with janitor privileges. That probably is
not good. By logging in yourself for the very first time, using the
new account, you can make sure that the profile is already established
by the time the actual user logs on herself for the first time. As an
added bonus you can make sure that there are no typing errors or other
mistakes in the password that was assigned to this new user; you have
checked it yourself by succesfully logging on the first time.
At this point every user now has her personal profile in a USER.DAT
file on the server. However, when a user modifies her Desktop or
installs software and adds an extra shortcut on the desktop or in the
Start Menu, these changes are also copied to the server when she logs
off. This may or may not be a problem.
For some users it might be a good idea to lock the profile, i.e. make
it impossible for these users to change their own settings in their
own USER.DAT. The 'official' way to lock a profile
consists of two steps.
- The file
USER.DAT on the server must be renamed to
USER.MAN ('MAN' is short for 'Mandatory').
- The file permissions for
USER.MAN must be changed to
readonly.
In the current version of ServerAtSchool the changes to the
USER.DAT/USER.MAN files are made via the
command line on the server. You can change the status of a user
profile from 'unlocked' to 'locked' and vice versa with the following
one-liner at the root prompt (illustrated using the accounts
for 'grade7' and 'grade8'). Note that your input is emphasised.
[root@praeceptor root]# cd /home/userdata/home/users ; \
> for u in grade7 grade8; do \
> mv $u/H/.profile/USER.DAT $u/H/.profile/USER.MAN ; \
> chmod 0440 $u/H/.profile/USER.MAN ; \
> done
[root@praeceptor users]# _
|
This one-liner (which is displayed on multiple lines for layout
reasons) iterates through a list of userid's (here a list of two:
grade7 and grade8) and changes the name of the file
USER.DAT in the subdirectory H/.profile
to USER.MAN using mv(1) and subsequently
sets the permissions of the renamed file to readonly for the owner and
the group of the file with chmod(1).
These changes together are enough to lock the profiles of grade7 and
grade8.
The profiles can be unlocked again by using the following one-liner.
[root@praeceptor root]# cd /home/userdata/home/users ; \
> for u in grade7 grade8; do \
> mv $u/H/.profile/USER.MAN $u/H/.profile/USER.DAT ; \
> chmod 0660 $u/H/.profile/USER.DAT ; \
> done
[root@praeceptor users]# _
|
This reverses the actions performed when locking the profile: the file
is renamed to USER.DAT and both read and write
permissions are granted to owner and group of the file.
If there are many profiles that need to be locked or unlocked or when
profiles need to be locked or unlocked more than a few times, it may
be efficient to create a small helper script that contains both
one-liners. Such a script, say /usr/sbin/userdat,
might look like this.
#!/bin/bash
# /usr/sbin/userdat -- lock or unlock windows profiles for user accounts
PROG="$(/bin/basename $0)"
if [ "$1" == "-L" ]; then
OLDNAME="USER.DAT"
NEWNAME="USER.MAN"
PERMISSIONS="0440"
shift
elif [ "$1" == "-U" ]; then
OLDNAME="USER.MAN"
NEWNAME="USER.DAT"
PERMISSIONS="0660"
shift
else
echo "usage: $PROG [ -L | -U ] userid [userid ...]"
exit
fi
if [ -z "$1" ]; then
echo "usage: $PROG [ -L | -U ] userid [userid ...]"
exit
fi
while [ -n "$1" ]; do
OLDPATH="/home/userdata/home/users/$1/H/.profile/$OLDNAME"
NEWPATH="/home/userdata/home/users/$1/H/.profile/$NEWNAME"
echo -n "$1: "
if [ -e "$OLDPATH" ]; then
/bin/mv "$OLDPATH" "$NEWPATH"
echo -n "$OLDNAME renamed, "
else
echo "$PROG: '$OLDPATH' not found; no file renamed"
fi
if [ -e "$NEWPATH" ]; then
/bin/chmod "$PERMISSIONS" "$NEWPATH"
echo "permissions changed"
else
echo "$PROG: '$NEWPATH' not found; no permissions changed"
fi
shift
done
|
This script should be called with the switch -L for 'lock' or the
switch -U for 'unlock' as the first parameter, followed by a list of
userids that need to be locked or unlocked. This way locking the
profiles of grades12, grade3, ..., grade8 can be done with a single command as illustrated
below. Again, your input is emphasised.
[root@praeceptor root]# userdat -L grade12 grade3 grade4 grade5 grade6 grade7 grade8
grade12: USER.DAT renamed, permissions changed
grade3: USER.DAT renamed, permissions changed
grade4: USER.DAT renamed, permissions changed
grade5: USER.DAT renamed, permissions changed
grade6: USER.DAT renamed, permissions changed
grade7: USER.DAT renamed, permissions changed
grade8: USER.DAT renamed, permissions changed
[root@praeceptor root]# _
|
NOTICE:
You can use the automatic filename expansion of the bash shell to your
advantage by changing to the directory
/home/userdata/home/users and subsequently lock the
profiles of all nests (grades) with the single command userdat
-L grade*. In the same manner you could lock all
accounts with userdat -L *.
In section 5. Inaugurating new user accounts you had
to login with every user account in order to establish personal
profiles for everyone. For this you need to know the correct
combination of userid and password for every user.
If you used the default settings in chapter III. Janitor, all the nest accounts are
allowed to access the network without specifying a password because of
the special value NO PASSWORD that was specified as the
SMB password for those users. That makes it very easy to logon and
logoff with these userids.
Things are different for staff members. In section 5.7 Adding Multiple user accounts in
chapter III. Janitor you have created a
batch input file called staff.in which was used to add
the various accounts for teachers and other staff members. If you have
retained that file you can now re-use it and create individual letters
with the pertinent information for all staff members without having to
retype anything. You can use these 'password letters' to inform your
users about their userid and passwords.
You could also use a one-liner to extract userids and SMB passwords
from staff.in in a handy list. You could use this list
while logging on and off once with every userid.
The file staff.in looked like this.
acackl:::Amelia Cackle::/bin/bash:programs,teleworkers,staff,principals,janitors:gN8OKrK1:waavaegh::amelia.cackle:0.0.0.0/0
adumbl:::Albus Dumbledore::/bin/bash:programs,teleworkers,staff,principals:jrNgtGyP:uaxefiko::albus.dumbledore:0.0.0.0/0
hgronb:::Honorine Hermelin Gronbech::/bin/bash:programs,teleworkers,staff,faculty:UAPjJ6bn:iekufaid::honorine.gronbech:0.0.0.0/0
aschur:::Anna Maria van Schurman::/bin/bash:programs,teleworkers,staff,faculty:PoVRLubL:metheese::annamaria.vanschurman:0.0.0.0/0
mastel:::Mary Astell::/bin/bash:programs,teleworkers,staff,faculty:H6JmE006:eehohdea::mary.astell:0.0.0.0/0
wblade:::Wilhelmina Bladergroen::/bin/bash:programs,teleworkers,staff,faculty:jpvnJIgb:eezuveek::wilhelmina.bladergroen:0.0.0.0/0
mmonte:::Maria Montessori::/bin/bash:programs,teleworkers,staff,faculty,healthcare:k6aVkNSu:jiesooli::maria.montessori:0.0.0.0/0
hparkh:::Helen Parkhurst::/bin/bash:programs,teleworkers,staff,faculty,healthcare:wWITa4ye:ahgiesah::helen.parkhurst:0.0.0.0/0
odecro:::Ovide Decroly::/bin/bash:programs,teleworkers,staff,faculty:j3m1odN5:ohngiegu::ovide.decroly:0.0.0.0/0
lvygot:::Lev Vygotsky::/bin/bash:programs,teleworkers,staff,faculty,healthcare:3XtMaKjX:hoofahni::lev.vygotsky:0.0.0.0/0
ppeter:::Peter Petersen::/bin/bash:programs,teleworkers,staff,faculty:dYa34K7Z:eeteeyoo::peter.petersen:0.0.0.0/0
cfrein:::Celestin Freinet::/bin/bash:programs,teleworkers,staff,faculty:1jvGRsa5:aeghicae::celestin.freinet:0.0.0.0/0
bskinn:::Burrhus Frederic Skinner::/bin/bash:programs,teleworkers,staff,faculty:coNnLV9V:icheiwoi::burrhus.skinner:0.0.0.0/0
pfreir:::Paolo Freire::/bin/bash:programs,teleworkers,staff,faculty:2jgtjRBs:iewohsho::paolo.freire:0.0.0.0/0
iillic:::Ivan Illich::/bin/bash:programs,teleworkers,staff,faculty:h1x1ahto:dusuvagi::ivan.illich:0.0.0.0/0
|
This file is in the standard batch import format as discussed in
section section 5.7.1 File format for
batch processing in chapter III. Janitor. Note that in this file the first
field contains the userid, the fourth field contains the full name of
the staff member and the nineth field holds the SMB password. The
following one-liner extracts these fields from the file
staff.in and stores the output in a file called
staff.txt. This file is subsequently be printed using
lpr(1). Once again your input is emphasised in the
illustration below.
[root@praeceptor root] cut -f1,4,9 -d: < staff.in > staff.txt
[root@praeceptor root] lpr -P laserjet staff.txt
[root@praeceptor root] _
|
Use man cut to learn what is happening here.
The output on the printer will look like the list shown below.
acackl:Amelia Cackle:waavaegh
adumbl:Albus Dumbledore:uaxefiko
hgronb:Honorine Hermelin Gronbech:iekufaid
aschur:Anna Maria van Schurman:metheese
mastel:Mary Astell:eehohdea
wblade:Wilhelmina Bladergroen:eezuveek
mmonte:Maria Montessori:jiesooli
hparkh:Helen Parkhurst:ahgiesah
odecro:Ovide Decroly:ohngiegu
lvygot:Lev Vygotsky:hoofahni
ppeter:Peter Petersen:eeteeyoo
cfrein:Celestin Freinet:aeghicae
bskinn:Burrhus Frederic Skinner:icheiwoi
pfreir:Paolo Freire:iewohsho
iillic:Ivan Illich:dusuvagi
|
This list can simplify the process of logging on and off with every
userid. Note that you do need to keep the file staff.txt
in a safe place, just like the file staff.in because
these files (and the hardcopy, too) contain valuable passwords.
You can create a password letter for every user, again based on the
contents of the file staff.in. The snippet below also
prints the contents of a file called
password-letter.txt. This file could contain a short
explanation for all users about the meaning of the passwords, useful
hints on keeping the passwords and this password letter secret and
perhaps other pertinent information. This text is then merged with the
username and password information and printed on the laserprinter, one
page per user.
while read L; do
cat password-letter.txt
echo "Name: $(echo $L | cut -f4 -d:)"
echo ""
echo "Network Logon:"
echo "UserID: $(echo $L | cut -f1 -d:)"
echo "Password: $(echo $L | cut -f9 -d:)"
echo ""
echo "E-Mail:"
echo "UserID: $(echo $L | cut -f1 -d:)"
echo "Password: $(echo $L | cut -f8 -d:)"
echo ""
echo "Teleworking:"
echo "UserID: $(echo $L | cut -f1 -d:)"
echo "Password: $(echo $L | cut -f8 -d:)"
echo "Hostname: $(/bin/hostname)"
echo "RSA key fingerprint: $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | cut -f2 -d ' ')"
echo -e "\f"
done < staff.in | lpr -P laserjet
|
Explanation:
while read L; do
This reads one line of the input (staff.in, specified
on the last line of the snippet) into variable $L.
cat password-letter.txt
This outputs the contents of the specified file, once for every
line $L that is read, i.e. once for every userid.
echo "Name: $(echo $L | cut -f4 -d:)"
This outputs the word 'Name:' followed by the contents of field
number 4.
- The following lines use the same trick to print fields 1 (userid),
9 (SMB Password), again 1 (userid) and 8 (e-mail and teleworking
password). This yields a neat list of userids and passwords.
echo "Hostname: $(/bin/hostname)"
This outputs the word 'Hostname:' followed by the fully qualified
domain name of the server. This hostname needs to be specified
when using WinSCP for teleworking (see chapter XII. Teleworking with WinSCP).
echo "RSA key fingerprint: $(ssh-keygen -l -f
/etc/ssh/ssh_host_rsa_key.pub | cut -f2 -d ' ')"
This prints the host key fingerprint (RSA). This information is
used for host verification when using WinSCP for teleworking (see
chapter XII. Teleworking with WinSCP).
echo -e "\f"
This 'echo' spits out a formfeed
character. The effect is that the printer will eject the current
page. The next line that will be output (in the next loop, with
the next line in $L) will start at the top of the
next page.
done < staff.in | lpr -P laserjet
The keyword 'done' ends the loop that started with 'while' in the first
line. This line also defines the input (staff.in) and
the output is piped through lpr(1) and output to the
laserprinter.
Below is an example of an individual password letter.
PASSWORD LETTER
This letter contains the secret passwords you need to use the
facilities of our server at school. Please keep these passwords to yourself.
Do not show this letter to anyone else.
- You need the information under 'Network Logon' when you want to logon to
the school network.
- You need the information under 'E-Mail' when you want to access your
mailbox via webmail.
- The information under 'Teleworking' is required when you want to work at
home with documents and files on the server at school. Note that it is
important that the key fingerprint matches when you logon from home for
the first time. If there is a difference, you should cancel the
logon attempt and tell Freddie Frinton about it.
Name: Helen Parkhurst
Network Logon:
UserID: hparkh
Password: ahgiesah
E-Mail:
UserID: hparkh
Password: wWITa4ye
Teleworking:
UserID: hparkh
Password: wWITa4ye
Hostname: praeceptor.exemplum.serveratschool.net
RSA key fingerprint: 24:8f:3a:85:0a:d1:25:d6:81:14:b0:22:b6:62:55:39
|
Note that an in-depth explanation of the power of the command line is
a little beyond the scope of this manual. If you want to learn more
about this subject, you may want to consult one of the many helpful
sites with information about this subject. See Appendix B. Bibliography for more
information.
(top)
At this point the following goals are achieved.
- The 'golden image' has been created.
- All users have their personal profile including an appropriate
policy.
- Some users may have a 'locked' profile.
- All available shortcuts are collected on the server.
- The users' Desktops and Start Menus are ready to be populated.
The next step is to manipulate the users' shortcuts. This is discussed
in the next chapter: IX. Shortcuts, desktops and start menus.
(top)
Authors: Peter Fokker <peter (at) berestijn.nl> and Dirk Schouten <schoutdi (at) knoware.nl>
$Id: profiles.html,v 1.18 2006/03/31 08:15:49 peter Exp $