Right, I know next to nothing about coding.  It's not something I've ever enjoyed or wanted to do, but sometimes it becomes a necessity in my job and this current problem has me stumped.

We've got a bunch of clever shit kids at the moment that have worked out how to bypass all of the group policies set for our Windows 7 desktops by removing the network cables for said machines at certain points in time.  They pull it out on a reboot so that it gets none of the machine policies and then put it back in.  They log in and then pull it out again after about 10 seconds so that they don't get all of their user policies either.  That seems to get Windows 7 giving them some kind of default profile that enables them to get to the run command, regedit and the C drive.  This gives them the power to do what they like (which is usually to uninstall the anti-virus, install a remote tool and then piss off any users on that machine afterwards).  We never had this problem with Xp, so I don't know why Windows 7 makes it so easy to get full rights in.

Anyway, lots of people on forums suggest using a script to do it that runs as they log in.  It checks to see if they've got a mapped home drive (as that's one of the last things to be done in a GPO) and if it's not there, logs them off again.  I'll post the script below.  The problem I'm having is that my machines don't seem to run this script if i run it via the registry, which is what they're all suggesting.  They say to put an entry in HKLM->Software->Microsoft->Windows->CurrentVersion->Run that runs the .vbs file, but it just doesn't seem to run... as anyone.  If I run the script myself however, it runs fine.

Any ideas?  Do I have to be really specific with what I put in the registry entry?  I've tried the path it lives in, the path it lives in with either wscript and cscript at the start and also used double "\\" in the path as someone suggested that, but no luck.

'check for unplugged network cord during logon
'checks for mapped drives
'merge registry key to run
'| Windows Registry Editor Version 5.00
'| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
'| "check-home-dir"="\"C:\\WINDOWS\\vbs_logoff.vbs\""
'copy this vbs file to c:\windows directory

Option Explicit ' Added By SM

Dim objNetwork
Dim strUserName
Dim WshShell, WshNetwork, ObjFSO
Dim intReturn

Set objNetwork = CreateObject("WScript.Network")
Set WshShell = CreateObject("WScript.Shell")
Set WshNetwork = CreateObject("WScript.Network")
Set ObjFSO = CreateObject("Scripting.FileSystemObject")

' Wait until the user is really logged in... Added by SM
While StrUserName = ""
WScript.Sleep 100 ' 1/10 th of a second
StrUserName = WSHNetwork.UserName ' Get the user name
Wend


if strUserName = "Administrator" then
'Ignore the admins ;-) Added By SM

else

'Check if the home drive is there... Added By SM
if ObjFSO.DriveExists("z:") then

'Yes it is bail out... Added By SM
else
'No its not, has the network cable been pulled... Added By SM

intReturn = WshShell.Popup("Please ensure the network Cable is plugged in or the Wireless Button is on.", 8, "Login Error", 0)

If intReturn = 1 Then ' Trap the button click... Added By SM

'Wscript.Echo "You clicked the ok button. This would log you off"
WshShell.Run "logoff.exe"

Else ' The popup timedout log the user off... Added By SM

'Wscript.Echo "The popup timed out. This would log you off after a timeout"
WshShell.Run "logoff.exe"

End If

End if

End if

 

Just ban the accounts of anyone who does that kind of thing. Problem solved.

Harness that creative energy and get the kids to fix it :Y

Isn't the more important thing trying to work out what this default profile is (is it a local machine profile?) and why it isn't locked down and password protected?

Seems like there is something much more fatally flawed if they can gain access to the local machine with Administrator privileges that easily.

That's just it, they're logging into a network profile and when it loads, they remove the network cable before it's got all of the GPO settings, effectively giving them lots more rights.  So it's their profile, only it hasn't fully loaded.

You're doing something wrong.

I have no idea what, but if a correctly setup modern Windows network can be circumvented by temporarily pulling a network cable it would be all over the news and everyone here would probably already know about it. (And Microsoft would be working on a real patch, not a VBS kludge.)

The process of loading a profile should add privileges, not give full admin rights then remove them.

They can't circumvent domain privileges, but they can circumvent ones locally.  They pretty much end up with local admin rights.

But that's kinda the point, why isn't the default profile locked down and if it isn't can you change the default profile so it is locked down or put a password on it?

Not saying you're doing it wrong, just that's what I would be looking to change rather than use a hack in the form of a VB script.

Do you know how you change the default profile though?

No, I don't. But the profile must be being loaded from somewhere, so you must be able to change it.

Link: http://www.mombu.com/microsoft/windows-group-policy/t-group-policy-being-bypassed-by-unplugging-the-network-cable-511604.html

I like that their forum filters the "cum" out of "circumvent".

Aha, you actually just copy another profile and make it the default.  Nice one, I'll try that.

I bet no one on that forum lives in Scunthorpe then.

I may be completely off target here, but could the problem be that you need to use an actual executable in the registry entry, and supply the script's filename as a parameter?

Like instead of just

"C:\Windows\HackyScript.vbs"

you'd have

"C:\Windows\RunVBScript.exe C:\Windows\HackyScript.vbs"

Or Penistone...

Bawdrip should be fine though...

http://i.imgur.com/XRbGpt2.jpg

As if anyone knows anything about coding living in Bawdrip. All their time is taken up gossiping about their town's name. I'm sure it sounds more salacious when spoken with your subtle, yet sonorous lilt. </s's>

Wow, I wish I lived in a far away house so I could get a magical free bus service too.

Apostrophes do not make fucking plurals.

 :-(( I needed something in there to define what I meant. In hindsight I should've typed /Ss. However that looks like I'm trying to either refer to or close the SS down and what a nice neighbourly bunch of boys they were. Not that that's got anything to do with a farcical HTML tag. I'm sure there's (probably) a point in there somewhere, but I've been distracted by breakfast and work and any train of thought I had going has pulled out of the station leaving all the passengers behind looking confused and disgruntled.