Novell Home

Changing Shells Based on Membership/Non-membership in a Single Group

Novell Cool Solutions: Trench
By Karl Allen Swelling

Digg This - Slashdot This

Posted: 13 Dec 2000
 

First, thanks to all the folks who enjoyed my recent article about distributing Internet Explorer 5.x. If you liked that one, you are going to love this one.

Heavily using Microsoft Windows policies can be just plain messy. Using Novell Workstation Manager helps a lot, but I am still partial to using NAL as the shell to "lock down" Win95 users. The problem is that the shell is really a workstation setting and not a user setting. ZENworks 2 (NAL 3) permits you to make this a user setting, allowing locked down and non-locked down users to share the same PCs.

The following are the goals of this project:

  1. Allow changing of the shell based on group membership/non-membership
  2. Do not use NAL as the shell on laptop PCs
  3. Only let the SETUP user use F5/F8 when booting Win95


Contents

Excluding Laptops

First we need to exclude laptops. There are several ways to do this, but my favorite way is by the standard naming of the PCs. I have all laptops named LAP##### and all workstations named CPU#####. So I Force Run an application object at the container that runs a WinBatch script that, among other things, sets HKLM\SOFTWARE\Swelling[WSType] to be either CPU or LAP based on the computer name. (Also notice that I try to correctly identify a laptop even if it is incorrectly named.) The following is the relevant section of that WinBatch script:

ComputerName = ItemExtract(1,WinSysInfo( ),@TAB)
RegSetValue(@REGMACHINE, "SOFTWARE\Swelling[WSType]",StrSub(ComputerName,1,3))
if RegExistKey(@REGMACHINE, "Enum\PCMCIA") then RegSetValue(@REGMACHINE,
"SOFTWARE\Swelling[WSType]","LAP")

Setting up Group

Now we need to setup a single group that allows the changing of the shell. You can either setup a group that locks down all its members and unlocks all its non-members, or you can setup a group that excludes its members from being locked down, with everyone else forced to use NAL as their shell. (You do not need both groups.) I will start with the latter.

Option 1: WSEXCLUDE

Create a group named WSEXCLUDE and add the following to the container login script:

*** ZENWORKS 2 WIN95 WSEXCLUDE STANDARDIZATION WO WINBATCH ***
DOS SET LOGINNAME="%LOGIN_NAME"
REGREAD "HKLM,SOFTWARE\Swelling,WSType"
DOS SET WSTYPE="%99"
IF OS="WIN95" THEN BEGIN
 IF "%WSTYPE"<>"LAP" THEN BEGIN
   IF MEMBER OF "WSEXCLUDE" THEN BEGIN
     DOS SET WSEXCLUDE="YES"
     WRITE "THIS IS AN EXCLUDED DESKTOP PC"
   ELSE
     DOS SET WSEXCLUDE="NO"
     WRITE "THIS IS A STANDARDIZED DESKTOP PC"
   END
 ELSE
   DOS SET WSEXCLUDE="YES"
   WRITE "THIS IS A LAPTOP PC"
 END
END

WSINCLUDE

If you instead prefer to have everyone unlocked except for those in a group, create a WSINCLUDE group and add the following to the container login script:

*** ZENWORKS 2 WIN95 WSINCLUDE STANDARDIZATION WO WINBATCH ***
DOS SET LOGINNAME="%LOGIN_NAME"
REGREAD "HKLM,SOFTWARE\Swelling,WSType"
DOS SET WSTYPE="%99"
IF OS="WIN95" THEN BEGIN
 IF "%WSTYPE"<>"LAP" THEN BEGIN
   IF MEMBER OF "WSINCLUDE" THEN BEGIN
     DOS SET WSEXCLUDE="NO"
     WRITE "THIS IS A STANDARDIZED DESKTOP PC"
   ELSE
     DOS SET WSEXCLUDE="YES"
     WRITE "THIS IS AN EXCLUDED DESKTOP PC"
   END
 ELSE
   DOS SET WSEXCLUDE="YES"
   WRITE "THIS IS A LAPTOP PC"
 END
END

Notice that these login script sections read the HKLM\SOFTWARE\Swelling[WSType] key and set the WSEXCLUDE environmental variable to either YES or NO. (Novell TID 10022325 explains the use of REGREAD.) Now we can create the application objects to change the shell.

Creating App Objects

ZENNALWIN32SHELL-CFG2

The first object is ZENNALWIN32SHELL-CFG2, associated to the container as Force Run. Its system requirements are that the PC is not a laptop (HKLM\SOFTWARE\Swelling[WSType] <> LAP), it is running Win95, and the WSEXCLUDE variable is set to NO. The relevant parts of this application object are below, with the entire object available at the end of this article.

AXT_FILE 3.0

[Application Name]
Value=ZENNALWIN32SHELL-CFG2

[Macro]
Name=SOURCE_PATH
Value=Z:\PUBLIC

[Macro]
Name=TARGET_PATH
Value=C:\NOVELL\CLIENT32

[Macro]
Name=TARGET2_PATH
Value=C:\NOVELL\SWELLING

[Registry Value Create]
Type=String
Flag=Create New
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Name=WSBootKeys
Value=Yes

[INI Identifier Create]
Flag=Write Always
File=%*WINDIR%\system.ini
Section=Boot
Identifier=Shell
Value=c:\novell\client32\nalwin32.exe

[Directory Create]
Directory=%TARGET2_PATH%

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\SHELLE.EXE
Target=%TARGET2_PATH%\SHELLE.EXE

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\SHELLN.EXE
Target=%TARGET2_PATH%\SHELLN.EXE

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\WBDBT32I.DLL
Target=%TARGET2_PATH%\WBDBT32I.DLL

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nalwin32.exe
Target=%TARGET_PATH%\nalwin32.exe

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nal.cnt
Target=%TARGET_PATH%\nls\english\nal.cnt

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nal.hlp
Target=%TARGET_PATH%\nls\english\nal.hlp

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nalbmp32.dll
Target=%TARGET_PATH%\nls\english\nalbmp32.dll

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nalres32.dll
Target=%TARGET_PATH%\nls\english\nalres32.dll

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nwapp32.dll
Target=%TARGET_PATH%\nwapp32.dll

[Filter Environment Value]
Name=WSEXCLUDE
Value=No
Flag=Equals

[Filter OS Version]
Type=Windows 95
Major Version=-1
Minor Version=-1
Revision Version=-1

[Filter Registry Data]
Type=Binary
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Value=WSType
Length=3
Data=4C 41 50
Flag=Not Equal

[Application Flags]
Flag=Install Only
Flag=Never Prompt Reboot
Flag=Always Distribute Application
Flag=No Distribution Window
Flag=Force Run Wait

[Application Association Flags]
Flag=Force Run

[Application Icon Order]
Value=3

[Application Platform]
Flag=Windows 95

ZENEXPLORERSHELL-CFG2

The second object is ZENEXPLORERSHELL-CFG2, again associated to the container as Force Run. Its system requirements are that the PC is running Win95 and the WSEXCLUDE variable is set to YES. Again, the relevant parts of this application object are below, with the entire object available at the end of this article.

AXT_FILE 3.0

[Application Name]
Value=ZENEXPLORERSHELL-CFG2

[Macro]
Name=SOURCE_PATH
Value=Z:\PUBLIC

[Macro]
Name=TARGET_PATH
Value=C:\NOVELL\CLIENT32

[Macro]
Name=TARGET2_PATH
Value=C:\NOVELL\SWELLING

[INI Identifier Create]
Flag=Write Always
File=%*WINDIR%\system.ini
Section=Boot
Identifier=Shell
Value=explorer.exe

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\SHELLE.EXE
Target=%TARGET2_PATH%\SHELLE.EXE

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\SHELLN.EXE
Target=%TARGET2_PATH%\SHELLN.EXE

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\NALFILES\ZEN\WINBATCH\WBDBT32I.DLL
Target=%TARGET2_PATH%\WBDBT32I.DLL

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nalwin32.exe
Target=%TARGET_PATH%\nalwin32.exe

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nal.cnt
Target=%TARGET_PATH%\nls\english\nal.cnt

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nal.hlp
Target=%TARGET_PATH%\nls\english\nal.hlp

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nalbmp32.dll
Target=%TARGET_PATH%\nls\english\nalbmp32.dll

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nls\english\nalres32.dll
Target=%TARGET_PATH%\nls\english\nalres32.dll

[File Copy]
Flag=Update Create
Source=%SOURCE_PATH%\nwapp32.dll
Target=%TARGET_PATH%\nwapp32.dll

[Directory Create]
Flag=Always Distribute Setting
Directory=%TARGET2_PATH%

[Filter Environment Value]
Name=WSEXCLUDE
Value=Yes
Flag=Equals

[Filter OS Version]
Type=Windows 95
Major Version=-1
Minor Version=-1
Revision Version=-1

[Application Flags]
Flag=Install Only
Flag=Never Prompt Reboot
Flag=Always Distribute Application
Flag=No Distribution Window
Flag=Force Run Wait

[Application Platform]
Flag=Windows 95

[Application Association Flags]
Flag=Force Run

[Application Icon Order]
Value=3

Note that both of the above objects copy down the NAL executables to the local hard drive, as directed by Novell TID 10016434. I am also copying a few WinBatch files, which are not absolutely necessary, and I will explain their user later.

Controlling Use of F5/F8

But now let's briefly look at the issue with F5 and F8 while booting Win95. Below are the application objects, both of which are Force Run at the container:

ZENBOOTKEYSNO-CFG

AXT_FILE 3.0

[Application Name]
Value=ZENBOOTKEYSNO-CFG

[Registry Value Create]
Type=String
Flag=Write Always
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Name=WSBootKeys
Value=No

[INI Identifier Create]
Flag=Create New
File=c:\msdos.sys
Section=Options
Identifier=BootKeys
Value=0

[Filter Environment Value]
Name=LOGINNAME
Value=SETUP
Flag=Not Equal

[Filter OS Version]
Type=Windows 95
Major Version=-1
Minor Version=-1
Revision Version=-1

[Filter Registry Data]
Type=Binary
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Value=WSType
Length=3
Data=4C 41 50
Flag=Not Equal

[Filter Registry Data]
Type=Binary
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Value=WSBootKeys
Length=2
Data=4E 6F
Flag=Not Equal

[Application Shutdown Script]
File=POST.TXT

[Application Startup Script]
File=PRE.TXT

[Application Flags]
Flag=Install Only
Flag=Never Prompt Reboot
Flag=Always Distribute Application
Flag=No Distribution Window
Flag=Launch Hidden
Flag=Force Run Wait

[Application Icon Order]
Value=5

[Application Association Flags]
Flag=Force Run

[Application Platform]
Flag=Windows 95

ZENBOOTKEYSYES-CFG

AXT_FILE 3.0

[Application Name]
Value=ZENBOOTKEYSYES-CFG

[Registry Value Create]
Type=String
Flag=Write Always
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Swelling
Name=WSBootKeys
Value=Yes

[INI Identifier Delete]
File=c:\msdos.sys
Section=Options
Identifier=BootKeys
Value=0

[Filter Environment Value]
Name=LOGINNAME
Value=SETUP
Flag=Equals

[Filter OS Version]
Type=Windows 95
Major Version=-1
Minor Version=-1
Revision Version=-1

[Application Shutdown Script]
File=POST.TXT

[Application Startup Script]
File=PRE.TXT

[Application Flags]
Flag=Install Only
Flag=Never Prompt Reboot
Flag=Always Distribute Application
Flag=No Distribution Window
Flag=Launch Hidden
Flag=Force Run Wait

[Application Platform]
Flag=Windows 95

[Application Icon Order]
Value=5

[Application Association Flags]
Flag=Force Run

  • PRE.TXT contains:
    #command.com /c attrib c:\msdos.sys -h -r -s
  • POST.TXT contains:
    #command.com /c attrib c:\msdos.sys +h +r +s

Basically, after user SETUP logs in, he can reboot and use F5 and F8; otherwise F5 and F8 are disabled during the boot process. Now back to changing the shell.

Making Shell Change Effective

The only issue left is that the shell change is only effective after the next reboot, which is not forced. This was not acceptable to me, so I had to write two very small WinBatch scripts, shown below:

SHELLN.WBT (compiled as SHELLN.EXE)
IniWritePvt("boot", "shell", "C:\NOVELL\CLIENT32\NALWIN32.EXE", "C:\WINDOWS\SYSTEM.INI")

SHELLE.WBT (compiled as SHELLE.EXE)
IniWritePvt("boot", "shell", "Explorer.exe", "C:\WINDOWS\SYSTEM.INI")

Note that these are the WinBatch files I am copying via the ZENNALWIN32SHELL-CFG2 and ZENEXPLORERSHELL-CFG2 application objects.

To run these files, we need to change the container login script sections we added earlier, as follows:

*** ZENWORKS 2 WIN95 WSEXCLUDE STANDARDIZATION ***
DOS SET LOGINNAME="%LOGIN_NAME"
REGREAD "HKLM,SOFTWARE\Swelling,WSType"
DOS SET WSTYPE="%99"
IF OS="WIN95" THEN BEGIN
 IF "%WSTYPE"<>"LAP" THEN BEGIN
   IF MEMBER OF "WSEXCLUDE" THEN BEGIN
     DOS SET WSEXCLUDE="YES"
     WRITE "THIS IS AN EXCLUDED DESKTOP PC"
     #C:\NOVELL\SWELLING\SHELLE.EXE
   ELSE
     DOS SET WSEXCLUDE="NO"
     WRITE "THIS IS A STANDARDIZED DESKTOP PC"
     #C:\NOVELL\SWELLING\SHELLN.EXE
   END
 ELSE
   DOS SET WSEXCLUDE="YES"
   WRITE "THIS IS A LAPTOP PC"
   #C:\NOVELL\SWELLING\SHELLE.EXE
 END
END

*** ZENWORKS 2 WIN95 WSINCLUDE STANDARDIZATION ***
DOS SET LOGINNAME="%LOGIN_NAME"
REGREAD "HKLM,SOFTWARE\Swelling,WSType"
DOS SET WSTYPE="%99"
IF OS="WIN95" THEN BEGIN
 IF "%WSTYPE"<>"LAP" THEN BEGIN
   IF MEMBER OF "WSINCLUDE" THEN BEGIN
     DOS SET WSEXCLUDE="NO"
     WRITE "THIS IS A STANDARDIZED DESKTOP PC"
     #C:\NOVELL\SWELLING\SHELLN.EXE
   ELSE
     DOS SET WSEXCLUDE="YES"
     WRITE "THIS IS AN EXCLUDED DESKTOP PC"
     #C:\NOVELL\SWELLING\SHELLE.EXE
   END
 ELSE
   DOS SET WSEXCLUDE="YES"
   WRITE "THIS IS A LAPTOP PC"
   #C:\NOVELL\SWELLING\SHELLE.EXE
 END
END

Note that SHELLE.EXE and SHELLN.EXE are run from the local hard drive, not running unless ZENNALWIN32SHELL-CFG2 and ZENEXPLORERSHELL-CFG2 have been processed once, ensuring that the NAL executables have been copied to the workstation.

Now your administrators have complete control over which shell is run by your users.

If you have any questions you may contact Karl at zenworks@swelling.net.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell