January 2009 Reader Challenge Winner
Congratulations to Gary Autrey of North Carolina, the winner of our January 2009 Reader Challenge. He wins a copy of Windows Server 2008: The Definitive Guide from O'Reilly Media.
February 2009 Reader Challenge
Solve this month's UPDATE challenge, and you might win a prize! Email your solution (don't use an attachment) to challenge@windowsitpro.com by February 13. You MUST include your full name, street mailing address (no P.O. Boxes), and a telephone number. Without that information, we can't send you a prize if you win, so your answer is eliminated, even if it’s correct.
I choose winners at random from the pool of correct entries. I’m a sucker for humor and originality, and a cleverly written correct answer gets an extra chance. Because I receive so many entries each month, I can't reply to respondents, and I never respond to a request for an email receipt. Look for the solutions to this month's problem here after the close of the contest.
The Challenge:
A friend who is an IT consultant called me. She was at a client site setting up accounting software, and the company's IT consultant was also on-site, installing a new server. They talked about groups, permissions, and so on for the members of the accounting department. To keep all users except the payroll administrator away from payroll information, my friend had created a local instance of the Payroll module of the software on the payroll administrator's computer. She showed the payroll administrator how to log on locally instead of logging onto the domain on Wednesday mornings (she runs the payroll every Wednesday).
Domain logons automatically run a login script, and the IT consultant wanted some of the tasks in that script to run even if a user logged on to the local computer. He told my friend he'd write a script that would log the payroll administrator onto the domain to run his logon script and then switch the user to a local logon automatically. He said it was a complicated script and it would take him a few days to figure out how to do it.
She told him, "Don't bother, I'll bet I can write a batch file that will act as a logon script that will run only when a user logs on locally. He told her, "There's no way to do that".
She called me to ask if I could write a local logon script for her to install on the payroll administrator's computer. Was this a reasonable request? Is there a way to set up two logon scripts--one for a local logon and a different one for a domain logon?
Answer:
Yes, you can have separate logon scripts for local logons and domain logons. At the computer in question, log on as an administrator and open the Computer Management Administrative Tool. Expand the Local Users and Groups section and locate the appropriate user. Open Properties and go to the Profile tab. Type the path and file name of the script under Logon Script.
The default location for local logon scripts is the %SystemRoot%\System32\Repl\Import\Scripts folder. You have to share this folder with the share name netlogon. You can, however, use any folder on the computer, as long as the user has access to that folder. Microsoft recommends you share any folder that holds a logon script.
Register
There are some things to consider, such as permissions. Just any local account won't have permission to access domain resources. In most cases, "pass-through" authentication will work. That means creating a domain account that matches the credentials of the local account and assigning permissions for that user. It usually also means checking the box so that the password never expires for both the domain user and the local user - otherwise password changes would have to be synchronized.
There are security concerns as well, and whether or not to override domain or company policy is a call that would have to be made by each individual organization.
kurtl February 11, 2009 (Article Rating: