Guy’s Scripting Ezine 121 – Registry CachedLogonsCount

Guy’s Scripting Ezine 121 – Registry CachedLogonsCount (Updated)

• This Week’s Secret
• This Week’s Mission
• Example 1 – To read the value of CachedLogonsCount from the registry
• Example 2 – Add ‘If then… End If’ logic
• Guy’s Challenges
• Vista’s Version of CachedLogonsCount
• Summary of Registry CachedLogonsCount

 ♣

This Week’s Secret

When I first saw a .reg file (many moons ago) I was incredulous that this tiny text file could alter the registry.  Even now I wonder if we really need to go to the trouble of creating a VBScript, when we can just double click the .reg file.  The answer, as so often the case, is horses for courses.  There are times when you just need a quick fix, in which case .reg will do the business, yet there are other times when you want to read the registry and take action depending on the values that you find. 

If .reg files have a weakness it is that they overwrite existing keys and values.  In this respect .reg files remind me of playing hide and seek, the part where who ever is ‘it’, says, ‘Coming ready or not’.  My conclusion is that employing VBScript to manipulate the registry is more flexible, firstly it extends the range of jobs for VBScript, secondly it gives you more control and greater scope than a rough and ready .reg file.

This Week’s Mission

This Week’s Mission is to read from the registry.  To add spice and dose of realism, the second example employs the ‘If .. then… end if’ construction to act upon the information obtained by the .RegRead method.

Example 1 – To read the value of CachedLogonsCount from the registry

Background to CachedLogonsCount

Windows machines in general and XP in particular, have the built-in ability to cache domain logons.  For a desktop machine on a company network, the ability to cache the logon credentials saves time and hassle should the domain controller be unavailable.

For a laptop away from the corporate network, physical security of the computer is now a real threat, therefore, you can add an extra layer of security by setting CachedLogonsCount to zero.  Imagine that the laptop has sensitive information, which could make a thief a fortune and cause embarrassment to the laptop owner.  All the thief has to do to logon is guess the password, perhaps the password is kindly taped under the keyboard.  However, if CachedLogonsCount is set to zero then no-one can logon unless the laptop can contact the domain controller to verify their password, hardly likely if the laptop has been stolen.

DontDisplayLastUserName

Incidentally, also investigate DontDisplayLastUserName.  Security gurus rave about the benefits of not displaying the last user who logged on.  I find this setting just antagonises desktop users for little benefit.  However for the above laptop scenario it would mean that a thief would also have to guess the username, because setting DontDisplayLastUserName = 1 means that no name is ever displayed in the logon dialog box, you always have to type the username from scratch.  Another example of the more security you have the more work there is for you and your users.

DontDisplayLastUserName – a Positive View from Jean van Laarhoven.

About a year ago we (I am a system engineer in a local government office) were faced with the need to tighten up the overall security level. One of the items we wanted to introduce was the "DontDisplayLastUserName" item. Of course there was a discussion because of the same reason you write about. In the end we decided to activate it anyway. Indeed the first two months there were some initial complains, but after a while of course everybody got used to it.

There was a positive side effect however for the service desk. This could of course be exemplary for our organisation ;-). Normally the service desk would get about fifteen calls a month concerning people not able to login to the network. Ten of these turned out to be the problem that someone else had worked on the computer and that persons login name was still on the screen. Since no one was used to enter there username anymore, they didn’t even look on the screen whether it really was there own name that was standing there, some people didn’t even know there username anymore.

Needless to say that we don’t have that problem anymore and that the service desk employee is happy about that.

I just wanted to share this little story with you.

Greetings

Jean van Laarhoven.

Also Bob Says of DontDisplayLastUserName

Another place this setting is very handy is in a computer lab as in schools, where different users are using different computers constantly. Before I set this setting, the younger students would tend to just sit down and type in their password and become frustrated when they couldn’t log in. Now they have learned that the user name is part of the login process.

Pre-Requisites for Example 1

Any Windows machine after NT 3.1 will suffice for This Week’s Mission.  If I were you, I would launch Regedit just to check the values in the Winlogon hive of the registry.  See strWinLogon in my script for the precise location.

Instructions

1. Copy and paste the script below into notepad or get a script editor such as OnScript.
2. Save the file with .vbs extension e.g. CachedLon.vbs
3. Double click your script and check the message box.

VBScript Learning Points

Note 1:  In order to manipulate the registry we need to create a shell object.  Once we have our shell object (not network object), then three methods which are pertinent to the registry, become available: .RegRead .RegWrite and .RegDelete.

Note 2:  Example 1 merely reads and then echoes the value of CachedLogonsCount.  In example 2 we will devise logic to actually writes a new value for this key.  The default value for CachedLogonsCount is usually 10, with a range of zero to 50.  Incidentally, the script refused to echo the value when I set it to 100 and rebooted the machine.  However, it did echo the value when I set the value to 100 and DID NOT reboot the machine.

See Windows 8 Registry Examples.

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory Tool

I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource.  Give this permissions monitor a try – it’s free!

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

Example 2 – Add ‘If then… End If’ logic

In this example we fulfil our mission of setting CachedLogonsCount to zero.  This will make the machine more secure as no-one can logon unless the machine can contact a domain controller.  The normal ability to cache logon passwords will be disabled thanks to this script.

Learning Points

Note 1:  If (test) then…(do).. End If, is one of my favourite constructions.  It’s my guess that this and similar logical constructions are underused in VBScripts.  Put it another way, by adding this simple branching logic you can improve your scripts.  Moreover, such constructions are often the starting point to writing error correcting code.

Note 2:  I expect that you have noticed in addition to .RegRead, we now call for the .RegWrite method which actually changes the registry.

Guy Recommends: Tools4ever’s UMRA

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Guy’s Challenges

Challenge 1: To achieve the same result, we could have created a .reg file in notepad. Example of a .reg file that you could create in notepad.  Note the speech marks around the "0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"cachedlogonscount"="0"

Challenge 2:  You could create a VBScript to control DontDisplayLastUserName.  This is string value (Reg_SZ) that you could add to the Winlogon section of the registry.  If you accept this challenge, make sure you check the logic of setting a value of 1, compared with setting it to zero.

Challenge 3:  A very difficult project.  You could add a combination of ‘Select Case’ logic and WMI values, which set the value of DontDisplayLastUserName dependent on the type of machine e.g. Laptops =1 desktops = 0.  For this project you need to research the WMI attribute, Win32_SystemEnclosure see more in Ezine 94 Select Case.

Summary of Reading from the Registry

If you wish to make changes to the registry, you could use a .Reg file, or you could create a VBScript and employ .RegWrite and .RegRead.  The biggest advantage of the script is that you add logic to achieve specific goals.

See more about registry scripts

• Registry  • Win Registry Hacks  •PowerShell Registry  • Ezine 8 Registry  • Ezines  •Tool Kit

• Ezine 62 Registry  •Ezine 63 Registry  • Ezine 64 Write Registry  • Ezine 119 Registry shortcuts 

• Ezine 121 CachedLogons  • Ezine 136 remove shortcut  •Ezine 137 Remove shortcut