+ Post New Thread
Results 1 to 7 of 7
Scripts Thread, Startup script that disables local account while on school network in Coding and Web Development; Hi all, [Background Story] We run a laptop scheme for our students and are currently in our fourth year. The ...
  1. #1
    TriggerHappyUK's Avatar
    Join Date
    Oct 2007
    Location
    Dorset
    Posts
    72
    Thank Post
    62
    Thanked 6 Times in 5 Posts
    Rep Power
    16

    Startup script that disables local account while on school network

    Hi all,

    [Background Story]

    We run a laptop scheme for our students and are currently in our fourth year. The laptops run XP (2 years worth), Vista (1 year) and Win 7 (1 year). Each student with a laptop has a domain account (to use while in school) and a local account on the laptop (to use while at home). We locally manage our domain and AD. Our servers are running Server 2008.

    [Problem]

    Over the years we have repeatedly told the students to logon to the school domain while in school and NOT their local accounts. They say that the reason that they are on their local account is that they can't get to the homework they have done. But we have put a link to their local documents in the start menu when they are logged onto the domain.

    [Solution]

    I'm looking for a way to disable all local accounts (apart from the administrator account) when they turn on their laptops in school. Thus forcing them to logon to the domain. Then, when they turn off their laptops at the end of the day, another script will enable the accounts.

    [Thanks]

    I hope that someone could help me with this and appreciate anyone that has read through to this point.

    Cheers,

    Chris.

  2. #2
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,491
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    52
    Why do you have separate accounts? Could you just not cache the domain account on there and then assign something like power user or local admin via restricted groups in gp, instead of dealing with separate accounts?

  3. #3
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,436
    Thank Post
    672
    Thanked 279 Times in 246 Posts
    Rep Power
    78
    What p858snake said ..

    They used to have separate accounts for staff laptops here before I started, but now they all use one account with the relevant things applied to them (to be honest, I keep the machines locked down somewhat anyway as they are a school machine and they shouldn't be installing little Jonny's latest game for them to play).

    Also, a script wouldn't work for the techy savvy kids, as if they simply booted the machine with the WiFi turned off / Eth not plugged in, they would be able to get their local accounts whilst in school by plugging in / turning on after they've booted up their machines. Where as a single sign on gets round this as whichever way they work, if they want internet / file access in school they need to have the net on, so the machine will automagically connect to the network with no issues ..

  4. Thanks to soveryapt from:

    TriggerHappyUK (28th January 2011)

  5. #4
    TriggerHappyUK's Avatar
    Join Date
    Oct 2007
    Location
    Dorset
    Posts
    72
    Thank Post
    62
    Thanked 6 Times in 5 Posts
    Rep Power
    16
    Quote Originally Posted by p858snake View Post
    Why do you have separate accounts?
    The laptops belong to the students (they are bought through a kind of hp scheme from the school), but they are still theoretically 'owned' by the school until the parents have finished paying for them. Thanks to the original plan from the SLT, there is such a grey area concerning what the students and us can and can't do with the laptops. If I had my way, I would scrap the scheme completely and go back to desktops and department laptops!!

  6. #5
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,436
    Thank Post
    672
    Thanked 279 Times in 246 Posts
    Rep Power
    78
    Quote Originally Posted by TriggerHappyUK View Post
    The laptops belong to the students (they are bought through a kind of hp scheme from the school), but they are still theoretically 'owned' by the school until the parents have finished paying for them. Thanks to the original plan from the SLT, there is such a grey area concerning what the students and us can and can't do with the laptops. If I had my way, I would scrap the scheme completely and go back to desktops and department laptops!!
    Yuk .. feel for you there then as it's such a nightmare .. I guess the only thing you could do then would be to limit the use of school facilities to authenticated users only, which means if they log on with their AD credentials they'll get internet, files, printing, etc, etc, however, if they use their local account they get nothing, no internet, no files, no printing, just whatever they have access to locally ..

  7. Thanks to soveryapt from:

    TriggerHappyUK (28th January 2011)

  8. #6

    Join Date
    Jun 2010
    Location
    Bury
    Posts
    82
    Thank Post
    9
    Thanked 9 Times in 9 Posts
    Rep Power
    11
    Code:
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objNetwork = CreateObject("WScript.Network")
    strComputer = objNetwork.ComputerName
    
    Set colAccounts = GetObject("WinNT://" & strComputer & "")
    colAccounts.Filter = Array("user")
    
    serverFile = "\\server\share\file.name"
    
    If objFSO.FileExists(serverFile) Then
    	For Each objUser In colAccounts
    		If objUser.Name <> "Administrator" Then
    			objUser.AccountDisabled = True
    			objUser.SetInfo()
    		End If
    	Next
    Else
    	For Each objUser In colAccounts
    		objUser.AccountDisabled = False
    		objUser.SetInfo()
    	Next
    End If
    Assuming the script can be stored on, and run from, the local machine (so that it works when they aren't connected to the network) then this would do it. However, as pointed out, if they simply disconnect their cable or switch off the wireless, then it wouldn't work. The above solution might be better, although I've never had to set that kind of thing up so I wouldn't know how easy or hard it might be.

    Script made up from examples here:

    http://www.activexperts.com/activmon...ps/localusers/

  9. Thanks to JHeaton from:

    TriggerHappyUK (28th January 2011)

  10. #7

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,842
    Thank Post
    219
    Thanked 271 Times in 219 Posts
    Rep Power
    69
    Client Side Extensions (GPOP) can add delete and disable local accounts but the magic is that it has item level targeting. You could have it look for a server or a certain ip range and then disable or renable the account depending.

    I'd make to entries:

    disable account x + ILT if iprange isn't xxx to xxx

    enable account x + ILT if iprange is xxx to xxx

  11. Thanks to chazzy2501 from:

    TriggerHappyUK (28th January 2011)



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 13th October 2010, 09:19 PM
  2. Replies: 12
    Last Post: 6th May 2010, 10:33 AM
  3. change local account membership
    By linkazoid in forum Windows
    Replies: 5
    Last Post: 4th March 2009, 08:33 PM
  4. RADIUS and local XP user account
    By stjtech in forum Wireless Networks
    Replies: 1
    Last Post: 26th November 2008, 10:05 AM
  5. Replies: 5
    Last Post: 14th June 2008, 01:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •