How to Temporary disable interactive logon on windows

There isn’t an easy command to temporary disable interactive logon on windows machines. You can use GPO or local security policy (secpol.msc) but are not easy to script this change making it temporary. My solution is this:

Create a local group on all machines; I call it SC_DisableInteractiveLogon

Assign user rights “Deny Logon Locally” to this local group. You can do it via secpol.msc or via GPO (better if you have a lot of clients).

Now with a script I put on all machines the users or better an AD group with users that I want to disable login on localgroup SC_DisableInteractiveLogon (AddUserToGroup_Local.vbs).

strServer = wscript.arguments(0)
strLocalGroup = wscript.arguments(1)
strDomain = wscript.arguments(2)
strUser = wscript.arguments(3)

' connect to target machine and 
Set oServer = GetObject ("WinNT://" & strServer)

' add new user to 'SC_DenyInteractiveLogon' group
Set Group = GetObject("WinNT://" & strServer & "/" & strLocalGroup & ",group")
Group.Add "WinNT://"& strDomain &"/"& strUser &"" 
Group.Setinfo

' release objects
Set oServer = nothing
Set group= nothing

And this script for remove users from the same localgroup (RemoveUserToGroup_Local.vbs)

strServer = wscript.arguments(0)
strLocalGroup = wscript.arguments(1)
strDomain = wscript.arguments(2)
strUser = wscript.arguments(3)

' connect to target machine and 
Set oServer = GetObject ("WinNT://" & strServer)

' add new user to 'SC_DenyInteractiveLogon' group
Set Group = GetObject("WinNT://" & strServer & "/" & strLocalGroup & ",group")
Group.Remove "WinNT://"& strDomain &"/"& strUser &"" 
Group.Setinfo

' release objects
Set oServer = nothing
Set group= nothing

So, you can now schedule a batch that disable interactive login (putting AD “OM-MILANO\SC_DenyLogon” group inside localgroup “SC_DenyInteractiveLogon”):

reg add "\\CORSO01-MI\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v LogonPrompt /t REG_SZ /d "System in Maintenance - LOGON is DISABLED" /f
cscript C:\Deploy\AddUserToGroup_Local.vbs CORSO01-MI SC_DenyInteractiveLogon OM-MILANO SC_DenyLogon

and a batch that enable login:

reg delete "\\CORSO01-MI\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v LogonPrompt /f
cscript C:\Deploy\RemoveUserToGroup_Local.vbs CORSO01-MI SC_DenyInteractiveLogon OM-MILANO SC_DenyLogon

As you can see on batch the first line change a reg key putting and removing a message on login screen for informing users that this machine is on maintenance.

Script help:

RemoveUserToGroup_Local.vbs [target computer] [localgroup on target computer] [domain of user or group to remove from localgroup] [user or group to remove from localgroup]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s