『第 8 楼』:
使用 LLM 解释/回答一下
以前曾经想过限制学员开机,最后不了了之,谁有空天天蹲在那搞这个,哈.没联网的机房就是烦
更改密码方案
我们新的母盘每个系统都内置两套帐号,
用户名Administrator 密码onlyedu 用于系统管理用
用户名Onlyit 密码为空 用于学生教学用
这套更改密码方案,将通过在下课时间由教师机向所有的学生机通过psexec来远程执行更改用户密码,然后来锁定学生端。学生需要上机时将要去办公室取得密码方可登录。
以下是个简单的范例
更改学生端密码.cmd
-----------------------------
for /f "tokens=1,2 delims=/ " %%a in (password.txt) do @psexec \\%%a -u administrator -p onlyedu –c -d run.cmd %%b
-----------------------------
Run.cmd
--------------------------------
net user onlyit "%1"
%windir%\System32\rundll32.exe user32.dll,LockWorkStation
----------------------------------
Password.txt
------------------------------
192.168.1.3/123456
192.168.1.8/fsdaf
-------------------------------
我们通过for语法对密码本文件password.txt通过”/”分隔符分别取得tokens=1也即IP%a部分,tokens2也即新密码%b部分。然后通过psexec远程上传run.cmd在学生端执行net user onlyit “%1”此%1是批处理默认的参数处理方式,%0代表批处理自身%1-%9则是延续的参数,此%1是由%b参数传递过来,然后通过rundll32命令来锁定学生端。如果他们想上机就需要到办公室来取得密码。
为了避免文件处理麻烦要求password.txt是由IP后面紧跟/再跟连续的密码注意不能留空,比如下面都是错误的。一个是密码带空格一个密码接尾留空。
192.168.1.3/12 21
192.168.1.3/12
其它注意问题,
1, 保证网络畅通,需要禁用网卡或者用自动IP配置
2, 将对lusrmgr.msc nusrmgr.msc以及相应的建立新用户的程序对onlyit用户取消权限
3, 配置自动删除学员新建的任何新用户脚本
以上只是简单的方案实现,更多的细节问题需要在实施过程中进行总结。
计划任务关机方案
这次我们来讲讲强制计划关机的可执行性,这份文档偶把它定为绝密,并不是这文档有多高深,而是应了那句点破不值钱的道理。因为前期在执行对魔兽游戏采用防火墙方式封禁时就有学员采用开启注册表项和停止windows防火墙的方法导致失效。而我们这次用到的计划任务同样也是个易被摧毁的方案,所以没必要的话不需要告诉任何其它人我们是如何实施的。
我们的步骤是在用户登录阶段确保计划任务正常运行,然后在上课时悄悄的同步系统时间,在17:15-18:15分强制关机,而后的时间段可以正常开机
1. 确保计划任务服务运行
2. 常见计划任务类型
3. 同步系统时间
4. 在17:15-18:15 强制下机
5. 加强安全设定
1. 确保计划任务服务运行
首先我们在组策略用户登录设置加载Bshedule.cmd来确保计划任务已经在运行中。
Bschedule.cmd
---------------------------------
%systemroot%\system32\sc.exe config Schedule start= AUTO
%systemroot%\system32\sc.exe start Schedule
----------------------------------
2. 常见计划任务类型
MINUTE, 分钟
HOURLY, 小时
DAILY, 每日
WEEKLY, 每星期
MONTHLY, 每月
ONCE, 一次
ONSTART, 开机时
ONLOGON, 用户登录时
ONIDLE. 空闲时
3.同步系统时间
Autosyntime.cmd 这个东东用来建立一个ONIDLE类型的计划任务,必要的话可以将所有学生机更改时间的权限去除,这样只要网络通,我们只要将教师机的时间较准,所有的机器都会自动和教师机的时间保持同步。
---------------------------------------
SCHTASKS /delete /tn autosyntime /f
SCHTASKS /create /RU onlyit /RP "" /SC ONIDLE /I 1 /TN autosyntime /TR "c:\windows\system32\net.exe time \\teacher /set /y"
-------------------------------------------
4.在17:15-18:15 强制下机
在测试过程最最理想的方法是在17:15时生成一个onlogon类型的计划任务,这样只要用户一登录就马上注销,但是这种方法有几种弊端,
a. 它登录时必须以用户身份登录(onlyit)
b. 无法对其实施NTFS权限达不到控制面板隐藏的目的
c. 由于是个onlogon类型,单机环境下就需要另外设置一个今天18:16-明天17:14而且每分钟重复的计划删除才能确保正常登录。放弃
来实际测试中这里原先是想用注销方式的,因为这种方式至少在突发情况中电脑还是在欢迎界面我们还有别的方法来解除计划任务,但是测试过的shutdown,rundll32,logou等程序都得在当前用户状态才能正常注销,这意味着我们必须用当前登录用户的帐号才能执行计划任务,我们无法控制那些学员自行建立的帐户。那就暂时用shutdown –s –t 900 –c “关机”。
Forcelogout.cmd xp下的命令行参数并不能满足我们的需求,xp下的schtasks不支持2003下的/ET参数设置持续时间,到时候只能通过拷贝的方式来实施,这样我们就设置了一个名为forcelogout的计划任务它会在每天的17:15:00每隔一分钟执行一次关机
--------------------------
SCHTASKS /delete /tn forcelogout /f
SCHTASKS /create /RU “” /RP onlyedu /SC MINUTE /MO 1 /TN forcelogout /TR " shutdown –s –t 900 –c "关机"" /ST 17:15:00 /SD 2000/01/01
---------------------------
5.加强安全设定
a.计划任务服务被停止 ^此种方式下只能通过psexec来远程保证
b.系统时间不正确(单机情况下)^麻烦估计只有调整BIOS时间设定
c.control schedtasks 高级/查看日志 ^hidlog.cmd,拒绝onlyit用户查看计划任务日志
----------------------------------------
sc stop schedule
REM ping做延时处理保证服务正确停止
ping -l -n 4 127.0.0.1>nul
del %systemroot%\schedlgu.txt /q
REM 下面两步保证生成schedlgu.txt
sc start schedule
sc stop schedule
REM 然后给schedlgu.txt文件设置权限拒绝当前用户onlyit的访问
cacls %systemroot%\schedlgu.txt /e /d onlyit
sc start schedule
---------------------------------------------------
d.禁止查看远程计算机共享里的任务计划 ^hideschtasks.reg.
---------
Windows Registry Editor Version 5.00
---------
e.禁止onlyit用户访问schtasks命令
cacls %systemroot%\system32\schtasks.exe /e /d onlyit
f.禁止onlyit帐号查看计划任务设定,这样可以达到在控制面板隐藏
cacls %systemroot%\tasks\autosyntime.job /e /d onlyit
暂时这样吧,大家还要考虑一下像105平时正常但是在星期天13:00-21:00要怎么解决,以及突然事件时如何解锁
更优的注销方案
前期的强制性下机方案由于shutdown有很多不可操作性,它的-s强制关机可以在所有用户下执行,但是如果遇到突发情况我们管理员自身也没法解除,而它的-l强制注销同样因为需要在登录用户的帐号下才可以执行。
这次我们使用net user /times参数来设置用户可登录时间
net user onlyit "" /times:monday-friday,8AM-5PM,6PM-10PM;saturday-sunday,8AM-10PM
可允许的登录小时数 星期日 上午 08:00 - 下午 10:00
星期一 上午 08:00 - 下午 05:00
星期一 下午 06:00 - 下午 10:00
星期二 上午 08:00 - 下午 05:00
星期二 下午 06:00 - 下午 10:00
星期三 上午 08:00 - 下午 05:00
星期三 下午 06:00 - 下午 10:00
星期四 上午 08:00 - 下午 05:00
星期四 下午 06:00 - 下午 10:00
星期五 上午 08:00 - 下午 05:00
星期五 下午 06:00 - 下午 10:00
星期六 上午 08:00 - 下午 10:00
这样我们就设置好了onlyit用户在每天具体可登录的时间段,比如星期一那天,用户可以在08:00-17:00上课时间内登录,然后只要用户没有注销在17:00以后的时间学生仍然可正常使用计算机,然后我们需要在17:15运行一个计划任务
Lock_workstation.cmd 锁定控制台,在17:00-18:00用户无法登录这样将导致用户无法登录
SCHTASKS /delete /tn Lock_workstation /f
SCHTASKS /create /RU "" /RP onlyedu /SC MINUTE /MO 1 /TN Lock_workstation /TR "%windir%\System32\rundll32.exe user32.dll,LockWorkStation" /ST 17:15:00 /SD 2000/01/01
这样比前期的shutdown –l方案好点的地方就是在此种状态下我们可以保留学员的作业,但是解锁方面仍然是需要psexec进行远程更改时间的。
参考文档
巧用net user命令限制用户登录电脑
### Previous Attempts to Restrict Student Logins
I once thought about restricting students from turning on their computers, but it didn't work out in the end. Who has the time to sit there doing that every day? Ugh, computer labs without internet are really a hassle.
### Password Change Plan
Our new master disk has two sets of accounts built into each system:
- Username: Administrator, Password: onlyedu, for system management
- Username: Onlyit, Password: empty, for student teaching
This password change plan involves, during break time, the teacher's computer using psexec to remotely execute password changes on all student computers and then lock the student terminals. Students need to go to the office to get the password to log in when they need to use the computer.
Here's a simple example:
**Change Student End Password.cmd**
-----------------------------
for /f "tokens=1,2 delims=/ " %%a in (password.txt) do @psexec \\%%a -u administrator -p onlyedu –c -d run.cmd %%b
-----------------------------
**Run.cmd**
--------------------------------
net user onlyit "%1"
%windir%\System32\rundll32.exe user32.dll,LockWorkStation
----------------------------------
**Password.txt**
------------------------------
192.168.1.3/123456
192.168.1.8/fsdaf
-------------------------------
We use the for syntax to separate the IP part (%a) and the new password part (%b) from the password file password.txt using the "/" delimiter. Then, psexec is used to remotely upload run.cmd to the student terminal to execute `net user onlyit "%1"`, where %1 is the parameter passed from %b. Then, the rundll32 command is used to lock the student terminal. If they want to use the computer, they need to go to the office to get the password.
To avoid file processing troubles, the password.txt should have the IP followed immediately by "/" and then the continuous password, with no blanks. For example, the following are incorrect: one has a space in the password and the other has a blank at the end of the password.
192.168.1.3/12 21
192.168.1.3/12
**Other Notes**
1. Ensure network connectivity; disable the network card or use automatic IP configuration.
2. Remove permissions for lusrmgr.msc, nusrmgr.msc, and corresponding programs for creating new users for the onlyit user.
3. Configure a script to automatically delete any new users created by students.
This is just a simple plan implementation; more details need to be summarized during implementation.
### Scheduled Shutdown Plan
Let's talk about the feasibility of forced scheduled shutdown. I classify this document as top secret, not because it's very sophisticated, but because it's like the saying "once you reveal it, it's not valuable anymore." Because in the earlier attempt to block the Warcraft game using the firewall, some students enabled registry entries and stopped the Windows firewall, making the method ineffective. The scheduled task we're using this time is also an easily bypassed method, so we shouldn't tell anyone else how we implement it unless necessary.
Our steps are: ensure the scheduled task runs during user login, quietly synchronize the system time during class, force a shutdown from 17:15 to 18:15, and allow normal boot in other periods.
1. **Ensure Scheduled Task Service is Running**
First, we load Bschedule.cmd in the group policy user login settings to ensure the scheduled task is running.
**Bschedule.cmd**
---------------------------------
%systemroot%\system32\sc.exe config Schedule start= AUTO
%systemroot%\system32\sc.exe start Schedule
----------------------------------
2. **Common Scheduled Task Types**
MINUTE, minute
HOURLY, hourly
DAILY, daily
WEEKLY, weekly
MONTHLY, monthly
ONCE, once
ONSTART, at startup
ONLOGON, when user logs on
ONIDLE. when idle
3. **Synchronize System Time**
Autosyntime.cmd is used to create an ONIDLE type scheduled task. If necessary, remove the permission for all student computers to change the time. Then, as long as the network is connected, as long as the teacher's computer time is calibrated, all computers will automatically synchronize with the teacher's computer time.
---------------------------------------
SCHTASKS /delete /tn autosyntime /f
SCHTASKS /create /RU onlyit /RP "" /SC ONIDLE /I 1 /TN autosyntime /TR "c:\windows\system32\net.exe time \\teacher /set /y"
-------------------------------------------
4. **Force Shutdown from 17:15 to 18:15**
In the most ideal test method, a plan task of ONLOGON type is generated at 17:15, so that as soon as the user logs in, it will immediately log off. But this method has several drawbacks:
a. It must log in as a user (onlyit).
b. Cannot implement NTFS permissions to achieve hiding in the control panel.
c. Since it's an ONLOGON type, in a single-machine environment, another plan to delete it every minute from 18:16 today to 17:14 tomorrow is needed to ensure normal login. So we give up.
In actual testing, we originally wanted to use the logoff method because in an emergency, the computer is still at the welcome screen and we have other methods to cancel the scheduled task. But the tested shutdown, rundll32, logou and other programs can only be executed normally in the current user state, which means we must use the current logged-in user's account to execute the scheduled task, and we can't control the accounts that students create themselves. So we temporarily use shutdown –s –t 900 –c "Shutdown".
**Forcelogout.cmd** The command line parameters in XP don't meet our needs. The schtasks in XP doesn't support the /ET parameter setting for duration in 2003. Then we can only implement it by copying. So we set a scheduled task named forcelogout that will execute shutdown every minute starting at 17:15:00 every day.
--------------------------
SCHTASKS /delete /tn forcelogout /f
SCHTASKS /create /RU "" /RP onlyedu /SC MINUTE /MO 1 /TN forcelogout /TR " shutdown –s –t 900 –c "Shutdown"" /ST 17:15:00 /SD 2000/01/01
---------------------------
5. **Strengthen Security Settings**
a. Scheduled task service is stopped ^In this case, it can only be ensured remotely through psexec.
b. System time is incorrect (in single-machine case) ^Troublesome, probably only adjusting BIOS time settings.
c. control schedtasks advanced/view log ^hidlog.cmd, deny onlyit user access to scheduled task log
----------------------------------------
sc stop schedule
REM Ping for delay processing to ensure service stops correctly
ping -l -n 4 127.0.0.1>nul
del %systemroot%\schedlgu.txt /q
REM The following two steps ensure schedlgu.txt is generated
sc start schedule
sc stop schedule
REM Then set permissions for schedlgu.txt to deny current user onlyit access
cacls %systemroot%\schedlgu.txt /e /d onlyit
sc start schedule
---------------------------------------------------
d. Forbid viewing scheduled tasks in remote computer shares ^hideschtasks.reg.
---------
Windows Registry Editor Version 5.00
---------
e. Forbid onlyit user access to schtasks command
cacls %systemroot%\system32\schtasks.exe /e /d onlyit
f. Forbid onlyit account from viewing scheduled task settings, which can hide it in the control panel
cacls %systemroot%\tasks\autosyntime.job /e /d onlyit
Let's stop here for now. Everyone also needs to consider how to handle cases like 105 being normal usually but needing to be solved from 13:00 to 21:00 on Sunday, and how to unlock in case of sudden events.
### Better Logoff Plan
The earlier forced offline plan has many inoperable aspects due to shutdown. Its -s forced shutdown can be executed under all users, but if an emergency occurs, even the administrator can't cancel it, and its -l forced logoff also needs to be executed under the logged-in user's account.
This time we use the net user /times parameter to set the user's login time:
net user onlyit "" /times:monday-friday,8AM-5PM,6PM-10PM;saturday-sunday,8AM-10PM
Allowed login hours:
- Sunday: 08:00 AM - 10:00 PM
- Monday: 08:00 AM - 05:00 PM, 06:00 PM - 10:00 PM
- Tuesday: 08:00 AM - 05:00 PM, 06:00 PM - 10:00 PM
- Wednesday: 08:00 AM - 05:00 PM, 06:00 PM - 10:00 PM
- Thursday: 08:00 AM - 05:00 PM, 06:00 PM - 10:00 PM
- Friday: 08:00 AM - 05:00 PM, 06:00 PM - 10:00 PM
- Saturday: 08:00 AM - 10:00 PM
In this way, we have set the specific login periods for the onlyit user each day. For example, on Monday, the user can log in from 08:00 to 17:00 during class time. Then, as long as the user doesn't log off, the student can still use the computer normally after 17:00. Then we need to run a scheduled task at 17:15.
**Lock_workstation.cmd** Lock the console, so that from 17:00 to 18:00, the user can't log in.
SCHTASKS /delete /tn Lock_workstation /f
SCHTASKS /create /RU "" /RP onlyedu /SC MINUTE /MO 1 /TN Lock_workstation /TR "%windir%\System32\rundll32.exe user32.dll,LockWorkStation" /ST 17:15:00 /SD 2000/01/01
The advantage of this compared to the earlier shutdown –l plan is that in this state, we can keep the student's work, but unlocking still requires using psexec to remotely change the time.
### Reference Document
Skillfully Use the net user Command to Restrict User Login to the Computer
|
