BiggAndyy

Are you administrator for a few OUs in an organization but don’t have AD Forest or Tree privileges?

Maybe you have AD privileges but only need to lock down one or two trouble machines in high traffic areas during the weekends.

My problem was this; there is a Windows box that is being accessed on the weekends and the department chairman wants to have locked down.  Ok, easy.  In Windows 98 I remember there being nice grids available to select when a machine can be accessed and when it is unavailable.

Oops, wait, too bad, 2XV7 (2000-XP-Vista-7) doesn’t do that.  But rather than go through all the profiles and Event Viewer Security logs of a high traffic public box I decided it was easier to go the route of “Voo Doo” System Administration  and just make it work (or in this case, NOT work).’

So, how do you restrict users from logging in on weekends without setting up BIOS passwords that EVERYONE needs to memorize or petitioning the bureaucracy to get an AD change made for one or two machines?

Answer: Google didn’t have it, at least not easily.  And forget asking the propeller-head tech forums!  I spent two days justifying my request by answering all manner of needless questions like “isn’t that the job of the sysadmin?”  And after navigating their gauntlet of the absurd the self dubbed “guardians of the guts” proclaimed my request beneath their lofty intellect to even address.

The desired result: No Weekend Access.

The solution: have Windows check the day and if it is a Saturday or Sunday, disallow user logins.

The how to do it: Time to break out the BATCH!  It is actually quite a simple implementation.  A small BATCH script is run at the USER login.  If the login is on a weekend day logout the user immediately.

The code to do it:

@ECHO OFF
CLS
IF “%username%”==”<username>” GOTO :BYPASS
SET DAY=%date:~0,3%
IF /I [%DAY%] == [Sat] GOTO :LOGOFF
IF /I [%DAY%] == [Sun] GOTO :LOGOFF
:END
ECHO NOT Logging off.
EXIT /b
:LOGOFF
ECHO Logons are not permitted on the weekends for this terminal.  Shutting down the system.
SHUTDOWN -s -f -t 00 -c “Weekend access attempted”
EXIT /b
:BYPASS
ECHO Resuming Logon
EXIT /b

The script is very straightforward.  The day is extracted from the DATE command and if Saturday or Sunday a shutdown command is executed and a comment made in the Security Log.  One important addition, the BYPASS.  Make sure there is a user granted an exception to this rule, otherwise if the box needs to be accessed it is easier to be able to login with your account than go through the backdoor with a SAFE MODE login to disable the script.

After you make the script (I called it WEEKEND.BAT and saved it here: C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\weekend.bat)) then use GPEDIT.MSC and add it to the USER LOGON script.

There you have it, some Guerrilla AND Voo Doo administration all in one!  Good luck.