Background:
I have a JScript that runs when the computer starts up (from task scheduler). The script does some magic and determines if a user should be allowed to login at all. It starts by disabling all user accounts and then if a user is to be allowed in it enables the users account by firing the 'net user' command using wshShell.Exec(). All this works well and the accounts are correctly enabled/disabled.
Problem:
However the vista graphical login screen has no idea that user accounts have been enabled/disabled and does not refresh itself to show/remove the user account pictures. Actually it does refresh itself if I wait long enough at the login screen to start the screensaver. When the mouse is then moved the visa login screen returns refreshed. However I want to be able to restart/refresh the login screen from my script. Any ideas?
What I have already tried:
I tried launching winlogon.exe from
the script, it had no effect
I tried launching logon.scr from the ecript
to trigger the screensaver manually,
it did not trigger.
If you need the script, look here: http://code.google.com/p/truecryptautomount/
Anything you do from the service's context will not affect it as the login screen is an entirely different session/desktop. This is a security feature designed to stop user programs from emulating the login screen to capture a password. CTRL+ALT+DEL will always bring you to this alternate desktop/session.
The screensaver you are starting is not the same one you see start on the login screen. With that in mind, you should be able to configure the screensaver for the system account's profile to have a very short wait time. You can probably learn what you need to know from this article:
http://blogs.technet.com/heyscriptingguy/archive/2006/03/08/how-can-i-configure-the-screensaver-used-when-no-one-is-logged-on-to-a-computer.aspx
Hope this helps,
-Oisin
Related
I am facing issue while implementing Child Sessions launcher in my app. Basically as per Microsoft document when admin user launches child session then it shouldn't ask for credentials. However it does ask credentials (shows as popup to enter the credentials). If the user cancel it then we want to capture the cancel event.
We have implemented the child launcher functionality by referring to this url -
https://learn.microsoft.com/en-us/windows/win32/termserv/child-sessions
when it calls ImsRdpClient9.connect(), then it pop-ups to enter the credentials. Now if user clicks on cancel then I want to capture the event. I tried implementing https://learn.microsoft.com/en-us/windows/win32/termserv/imstscaxevents-interface but it didn't work. Is anyone out there to show an example how to implement the IMsTscAxEvents interface and listen to the various event (e.g, OnLogonError, OnAuthenticationWarningDisplayed etc) when windows show up with the logon error (on child session launcher).
I want to do (programmatically, using WinAPI) exactly the same what Windows does when you click on 'Switch User' in the Start Menu. Namely, to show the screen where all available user accounts are listed and you can switch to another account still being logged on as the previous one. As far as I know it's called 'fast user switching'. I have no credentials, my task is to let users of my app switch to another account using their own credentials.
Also, is there a way to know, if the option is enabled in the Start menu? Because if it is not, I don't want to show the option in my app as well.
UPDATE
I have used ::ExitWindowsEx() for logging off, but there is no EWX_ flag for switching.
Regards,
It sounds like you want the WTSDisconnectSession() function:
Disconnects the logged-on user from the specified Remote Desktop
Services session without closing the session. If the user subsequently
logs on to the same Remote Desktop Session Host (RD Session Host)
server, the user is reconnected to the same session.
You use it like this:
WTSDisconnectSession(WTS_CURRENT_SERVER_HANDLE, WTS_CURRENT_SESSION, FALSE);
We are integrating our app in the new Google Marketplace.
Our marketplace config in the developer console is ok.
Our oauth2/sso flow is ok (scopes match the ones setup in the console, auth params ok)
All users, when accessing our application through the Navigation bar, don't see any consent screen. All is perfect … except the following :
when an admin user is installing our application for his domain for the first time, he is presented with the domain consent screen displaying the scopes defined in our marketplace config, which is fine, he accepts and is presented with a button "Launch app". This link hit our server and a redirection is made to google auth in order to get the email and profile of that user. The redirection happens quickly that the admin is presented with yet another consent screen displaying the exact same scopes … which is bad.
If we wait 10 - 20 seconds before clicking the 'Launch app' button and after having accepted the scopes for the domain, the redirection to google auth is done and no consent screen is presented to the admin.
Are we missing something? Some sort of pooling technique with callback? "Sleeping"?
The same happens with other apps available on Google Apps Marketplace.
I installed several apps from Marketplace (Mavenlink, Lucidchart, etc), and they showed exactly the same result. I was prompted with consent screen immediately after installing them. A bit later, and I was let in without prompting.
It seems that the information on the installed app is not immediately propagated through Google system. There is a short delay between the time the administrator installs an app to his domain, and the time that app becomes available on his domain.
Most users wouldn't mind to wait a minute after the installation. Unfortunately, a reviewer at Google is not that forgiving. If he is quick enough to start your app immediately after the installation, your app will be caught asking for consent, for which it will be rejected from Marketplace. Too bad.
I want to implement a self reset password functionality for Windows 7 users. When the Logon screen prompts the domain users should be presented with a forgot password button which will open the password reset wizard. So the problem is how to add a command button to the standard windows logon screen?
I know about GINA in Windows XP as mentioned here:
Adding command button to Windows Logon screen
But this topic is 3 years old, and with Vista / Windows 7 Microsoft came up with "Microsoft Windows Credential Provider".
Those button are called "Tiles", and they are implemented in a Credential Provider. Anything you read about a Gina will not work in Vista or later.
Those tiles a created by the LogonUI.exe process, itself launched by Winlogon.exe. LogonUI.exe runs with high priviledges. You don't want to run anything there. Besides, any wizard you run will run under the system account. Security issues aside, anything that resets the password of the current user will not work.
But let's assume that you have a solution that can reset a user's password. Like a web site (or a local application) that :
Ask for the user's name
Ask some security questions
Connects to Active Directory to reset the password
Then here is a way to implement the functionality.
Create a user, a domain user if possible. Give it a name and a password easy to remember, like "reset" and "reset". Make shure that everybody knows the password.
Change the shell of that user to Internet Explorer, that you would be running in kiosk mode, pointing to your web application.
Now when someone wants to reset their password, here is what they will do :
Use the standard Windows Credential Provider, like they do every day, but with the user "reset" and the password "reset".
Instead of the normal Windows shell, they will be presented with your password reset web application.
The user resets their password and they are instructed to log off using CTRLATLDEL
They can log in with their own username and brand new password.
This idea can be improved upon if you are ready to write some code:
Instead of Internet Explorer, write a simple web application that wraps the web browser control. if the application is closed, or any other funny business, logoff.
Hack one of the Credential Provider samples to supply the well know password reset username and password, making password reset merely a click away
Change that password reset credential provider's image to reflect the password reset functionnality.
I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.